Short answer. SPF (Sender Policy Framework) is a DNS TXT record that lists the servers allowed to send mail for your domain. It starts with v=spf1, contains mechanisms (include, a, mx, ip4) and ends with a qualifier — ~all (softfail) or -all (hardfail). A domain may have only one SPF record.
Why SPF matters
Without SPF, anyone can send mail claiming your domain in the sender address. SPF gives the recipient mail server a list of allowed IPs so it can verify whether the sending server is legitimate. It is the first line of defense against forgery and a key deliverability signal.
SPF record syntax
example.com. IN TXT "v=spf1 include:_spf.google.com ip4:203.0.113.10 ~all"
# Check:
dig txt example.com
# or shorter:
dig +short txt example.comSPF mechanisms
- v=spf1 — required version at the start.
- include:domain — pulls in another provider's SPF (Google, Mailgun).
- a — allows IPs from the domain's A record.
- mx — allows IPs from the domain's MX records.
- ip4 / ip6 — an explicit address or subnet.
- all — the final mechanism, applied to everything else.
~all vs -all: the difference
| Qualifier | Name | Action on fail | When to use |
|---|---|---|---|
| -all | hardfail | Reject the message | When you are sure every sender is listed |
| ~all | softfail | Accept but mark suspicious | During setup and testing |
| ?all | neutral | No action | Nearly useless, not recommended |
| +all | pass | Allow everyone | Dangerous — opens the domain to forgery |
Start with~alland collect DMARC reports. Once you confirm every legitimate source passes SPF, switch to-allfor strict protection.
Common mistakes
- Multiple SPF records — only one TXT with
v=spf1is allowed, otherwise it is a permerror. - Exceeding the 10 DNS-lookup limit — too many includes. See how to fix.
- No final all — the record is incomplete and receivers interpret it differently.
- Accidental +all — effectively disables protection.
SPF checks the envelope domain (MAIL FROM), not the visible From header. So SPF alone does not stop spoofing — you need DKIM and DMARC on top.
How enterno.io helps with SPF
The /email-check tool parses your SPF record, shows every mechanism, counts DNS Lookup and highlights problems: duplicates, the lookup-limit overrun, a missing all. That is faster than reading the record by hand. MX-lookup shows which servers actually receive mail, so you do not forget them in SPF. enterno diagnoses — the TXT record in the zone is edited by the domain owner. Free: 48+ tools and a DNS check.
FAQ
Can I have two SPF records?
No. There must be exactly one TXT record with v=spf1. Combine multiple sources into one record using extra include mechanisms.
How do ~all and -all differ in practice?
With ~all a suspicious message is usually delivered to spam; with -all it is rejected at receipt. Strict -all is stronger against forgery but riskier if a sender is missing.
Do I need SPF if I have DKIM?
Yes. DMARC requires at least one of SPF or DKIM to pass with domain alignment. Best practice is to configure both.
Check your SPF: run /email-check and confirm the record is correct. See also the 10-lookup limit and DKIM setup.