Home › Glossary › SPF

SPF

SPF (Sender Policy Framework) is an email-authentication standard. It lets a domain owner publish, in DNS, a list of IPs and providers that are authorized to send mail on the domain's behalf. Receiving servers can then check whether incoming mail came from one of those authorized senders.

Where it lives

SPF is published as a TXT record at the apex of the domain (e.g., example.com). The record starts with v=spf1. Example: v=spf1 include:_spf.google.com -all.

How it's evaluated

When mail arrives, the receiver looks at the envelope-from address (the MAIL FROM, not necessarily the visible From header), fetches the SPF record for its domain, and checks whether the connecting server's IP matches any of the mechanisms (IPs, includes, MX hosts, etc.). The result is one of: pass, fail, softfail, neutral, or none.

Worked example: hitting the 10-lookup limit

Your record starts simple: v=spf1 include:_spf.google.com -all. That's 1 lookup. Then you add Mailchimp (include:servers.mcsv.net) — Mailchimp's record itself does 3 more lookups internally, so you're at 5. HubSpot adds another include: that itself nests 4 includes — you're at 10. Add Salesforce on top and you've blown the limit. Receivers see SPF return permerror. SPF stops authenticating all your mail — not just Salesforce.

The fix is "SPF flattening": tools like dmarcian, EasyDMARC, or NextDNS resolve the nested includes into a static list of IPs and republish a single non-nested record. Tradeoff: you have to refresh the flattened record when your providers change IPs (usually monthly).

Common pitfalls

• You can only have one SPF record per domain. Multiple v=spf1 TXT records is a permanent error.
• ~all vs -all: tilde is softfail (mark as suspicious), hyphen is hard fail (reject). Start with softfail, move to hard fail once you've verified all your senders are accounted for.
• SPF doesn't survive forwarding. If someone forwards mail you sent, the forwarder's IP isn't in your SPF, so SPF fails. DMARC + DKIM are needed to handle that.
• SPF authenticates the envelope, not the From header. A spammer can pass SPF on a domain they own while spoofing your domain in the visible From. DMARC is what plugs that gap by requiring alignment between SPF/DKIM and the visible From.

Verify on WhereIsDNS

Run the SPF check on your domain. It looks up the apex TXT record and shows the SPF line across all 14 resolvers. If 14/14 agree, your record is published consistently. To audit the 10-lookup count, run the resulting record through a flattening tool — WhereIsDNS shows you what's published, not what's expanded.

Related: DKIM · DMARC · TXT lookup.