Skip to content

SPF: Definition and Use Cases

TL;DR:

SPF (Sender Policy Framework) is a DNS TXT record where the domain owner declares which IPs are allowed to send email on their behalf. Example: "v=spf1 include:_spf.google.com ~all". Receiving mail servers check SPF and flag letters as spam on mismatch. Protects against email spoofing and phishing.

Check your site →

What is SPF

SPF (Sender Policy Framework) is a DNS TXT record where the domain owner declares which IPs are allowed to send email on their behalf. Example: "v=spf1 include:_spf.google.com ~all". Receiving mail servers check SPF and flag letters as spam on mismatch. Protects against email spoofing and phishing.

Check SPF online

Open Enterno.io tool →

Understanding SPF Record Syntax

The syntax of an SPF record is crucial for its proper functioning. An SPF record is typically defined as a single line of text in the DNS zone file of your domain. It begins with the version identifier, followed by mechanisms and modifiers. The basic syntax is as follows:

v=spf1 [mechanisms] [modifiers]

Here's a breakdown of the components:

  • v=spf1: This indicates the version of SPF being used. Currently, only spf1 is valid.
  • Mechanisms: These determine which IP addresses are allowed to send emails on behalf of the domain. Common mechanisms include:
    • ip4:
      : Allows a specific IPv4 address.
    • ip6:
      : Allows a specific IPv6 address.
    • include:: Allows the IPs specified by another domain's SPF record.
    • all: Matches any sender. Often used as the last mechanism.
  • Modifiers: These provide additional information about the SPF record:
    • exp=: Specifies a custom error message.
    • redirect=: Redirects to another domain's SPF record.

For example, an SPF record might look like this:

v=spf1 ip4:192.0.2.0/24 include:_spf.example.com -all

This record allows emails from the specified IP range and any IPs listed in _spf.example.com, while rejecting all others.

Common SPF Record Misconfigurations

Misconfiguring your SPF record can lead to significant issues, including email delivery failures and increased vulnerability to spoofing. Here are some common misconfigurations to be aware of:

  • Too Many DNS Lookups: SPF records are limited to 10 DNS lookups. If your SPF record includes too many include mechanisms or uses the redirect modifier, you may exceed this limit, causing legitimate emails to be marked as invalid.
  • Incorrect IP Addresses: Ensure that the IP addresses listed in your SPF record are accurate. If you change email service providers, you must update your SPF record accordingly.
  • Using 'all' Incorrectly: The all mechanism should be used wisely. For example, using ~all (soft fail) instead of -all (hard fail) can allow some unauthorized senders, which may increase the risk of spoofing.
  • Not Including All Sending Sources: If you use third-party services for sending emails (like marketing platforms), ensure you include their SPF records. Failing to do so can result in undelivered emails.

To troubleshoot SPF issues, use online SPF validators that can help analyze your record and highlight potential problems. Regularly review and update your SPF record to adapt to changes in your email sending infrastructure.

Practical Example: Configuring an SPF Record

Configuring an SPF record involves editing your domain's DNS settings. Below is a step-by-step guide to creating an SPF record:

  1. Identify Your Email Sending Sources: List all the IP addresses and third-party services that send emails on behalf of your domain.
  2. Construct Your SPF Record: Use the mechanisms discussed previously to form your SPF record. For example, if you send emails from your server at 192.0.2.1 and use mailchimp.com for marketing emails, your record might look like this:
  3. v=spf1 ip4:192.0.2.1 include:servers.mcsv.net -all
  4. Add the SPF Record to Your DNS: Access your domain registrar or DNS hosting provider. Navigate to the DNS management section and add a new TXT record with the following details:
    • Name: Your domain name (e.g., example.com).
    • Type: TXT.
    • Value: Your constructed SPF record (e.g., v=spf1 ip4:192.0.2.1 include:servers.mcsv.net -all).
  5. Save Changes: Save the new record and allow time for DNS propagation, which may take up to 48 hours.
  6. Test Your SPF Record: Use online tools like MXToolbox or Kitterman SPF Validator to check if your SPF record is correctly configured and validate its syntax.

By following these steps, you can effectively configure an SPF record that helps protect your domain from email spoofing and improves email deliverability.

SPF + DKIM + DMARCFull email protection triad check
Antispam StatusBlacklist check
MX ConfigurationCorrect mail server configuration
Email ScoreEmail deliverability score

Why teams trust us

MX
MX record check
SMTP
SMTP verification
SPF
SPF + DKIM + DMARC
Free
no signup

How it works

1

Enter email address

2

Check MX + SMTP

3

Get validity verdict

Why check email settings?

Proper SPF, DKIM, and DMARC configuration directly impacts email deliverability. Without these records, your emails land in spam or are rejected before delivery.

SPF Check

SPF record correctness: syntax, allowed server list, fail mechanism.

DKIM Analysis

Presence and validity of DKIM signature for the specified selector.

DMARC Policy

DMARC record parsing: policy, rua/ruf reports, SPF and DKIM alignment.

Email Score

Numerical delivery readiness score with improvement recommendations.

Who uses this

Email marketers

mailing list verification

Developers

registration validation

Sales

CRM contact check

Sysadmins

mail delivery troubleshooting

Common Mistakes

Missing SPF recordWithout SPF, emails from your domain are treated as potential spoofing.
SPF with ?all instead of -all?all means "neutral" — that's not protection. Use -all.
DMARC without policyp=none only collects reports. Move to p=quarantine or p=reject.
Not reading DMARC reportsDMARC generates reports on all emails. Analyze them to find unauthorized sending.

Best Practices

Deploy SPF → DKIM → DMARC sequentiallySPF first, then DKIM, then DMARC. Each step must work before moving to the next.
Start DMARC with p=noneCollect reports for 2–4 weeks, ensure all legitimate mail passes, then tighten policy.
Add rua report addressrua=mailto:dmarc@yourdomain.com — receive weekly aggregate reports.
Check after changing providerWhen changing hosting or ESP, always update SPF and DKIM keys.

Get more with a free account

Email check history and API keys for service integration.

Sign up free

Learn more

Frequently Asked Questions

Do I need SPF?

If you work with web infrastructure or APIs, almost certainly yes. See the article above for specific use cases.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.