What Is an SPF Record?
A Sender Policy Framework (SPF) record is a DNS TXT record that tells receiving mail servers which IP addresses and mail servers are authorized to send email on behalf of your domain. When an email arrives, the recipient's server checks your SPF record to verify the sender is legitimate — helping prevent spoofing and phishing attacks.
Before You Begin
Before creating your SPF record, gather the following information:
- The IP addresses of all servers that send mail for your domain
- The hostnames of any third-party sending services (e.g., Google Workspace, Mailchimp, SendGrid)
- Access to your domain's DNS management panel
Understanding SPF Record Syntax
An SPF record is a single TXT record published in DNS. Here is a simple example:
v=spf1 include:_spf.google.com ip4:203.0.113.5 ~allLet's break down each part:
- v=spf1 — Declares this as an SPF version 1 record (required)
- include:_spf.google.com — Authorizes all IPs listed in Google's SPF record
- ip4:203.0.113.5 — Authorizes a specific IPv4 address
- ~all — A "softfail" for any sender not listed (recommended for most setups)
Common SPF Mechanisms
| Mechanism | Description | Example |
|---|---|---|
| ip4 | Authorizes an IPv4 address or range | ip4:192.0.2.0/24 |
| ip6 | Authorizes an IPv6 address or range | ip6:2001:db8::/32 |
| include | Imports another domain's SPF record | include:sendgrid.net |
| a | Authorizes the domain's A record IP | a |
| mx | Authorizes the domain's MX record IPs | mx |
SPF Qualifiers Explained
Each mechanism can be prefixed with a qualifier that controls how a match is handled:
- + (Pass) — The sender is authorized (default, usually omitted)
- - (Fail) — The sender is NOT authorized; reject the message
- ~ (SoftFail) — The sender is probably not authorized; accept but mark
- ? (Neutral) — No policy statement; treat as if no SPF record exists
Step-by-Step: Creating Your SPF Record
- Identify all your sending sources. List every service and server that sends email as your domain.
- Build your SPF string. Combine the appropriate mechanisms for each sender.
- Log in to your DNS provider (e.g., Cloudflare, GoDaddy, Route 53).
- Create a new TXT record with the host set to
@(or your domain name). - Paste your SPF record as the value and save.
- Wait for DNS propagation — this typically takes a few minutes to 48 hours.
- Test your record using an SPF checker tool to confirm it's valid.
Important Limitations to Know
- 10-lookup limit: SPF allows a maximum of 10 DNS lookups per check. Exceeding this causes a PermError.
- One SPF record per domain: Having multiple TXT records with
v=spf1will cause validation failures. - SPF doesn't cover forwarding: When email is forwarded, the original sender's SPF may fail. This is where DKIM and DMARC become essential.
Next Steps
Once your SPF record is live and tested, consider implementing DKIM (for message signing) and DMARC (for policy enforcement). Together, these three protocols form the foundation of modern email authentication.