Back to Glossary
Authentication

SPF(Sender Policy Framework)

An email authentication method that specifies which servers can send email for your domain.

Definition

SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. This is done through a DNS TXT record that lists approved sending servers by IP address or hostname. When receiving servers get an email, they check the SPF record to verify the sender is legitimate. SPF was designed to prevent email spoofing by ensuring only authorized servers can send email on your behalf.

Why It Matters

SPF is one of the three pillars of email authentication (alongside DKIM and DMARC). Without SPF, your emails are more likely to be marked as spam or rejected entirely. Spammers often forge sender addresses to impersonate legitimate brands, and SPF helps recipients verify that your emails actually come from authorized servers. Major email providers like Gmail and Outlook check SPF and penalize emails that fail.

How It Works

When you send an email, the receiving server extracts your domain from the envelope sender (Return-Path) and queries DNS for your SPF record. It then checks if the sending server's IP is listed in that record. The record can include specific IPs (ip4:), IP ranges, other domains to include (include:), and mechanisms like 'a' or 'mx'. The record ends with a qualifier (-all means reject unauthorized, ~all means soft fail, ?all means neutral) that tells receivers what to do with unauthorized emails.

Example

Here is an SPF record for a company using Google Workspace and Sequenzy:

example.com TXT "v=spf1 include:_spf.google.com include:spf.sequenzy.com -all"

Breaking it down: - v=spf1 declares this is an SPF record - include:_spf.google.com authorizes Google's servers - include:spf.sequenzy.com authorizes Sequenzy's sending infrastructure - -all means reject any email from servers not listed

When Gmail receives an email from this domain, it checks if the sending IP matches Google's or Sequenzy's authorized servers.

Best Practices

  • 1Include all your email sending services in your SPF record
  • 2Keep your SPF record under 10 DNS lookups to avoid PermError failures
  • 3Use -all (hard fail) once you have verified all legitimate senders are included
  • 4Regularly audit your SPF record when changing email providers
  • 5Test your SPF record with online validators before publishing

SPF Record Checker

Use our free SPF checker tool to validate your domain's SPF configuration and identify issues.

Learn More

Frequently Asked Questions

Create a TXT record in your DNS with your domain's authorized senders. A basic SPF record looks like: 'v=spf1 include:_spf.google.com include:sendgrid.net -all'. Replace the includes with your actual email providers. You can only have one SPF record per domain.

SPF PermError usually means your SPF record has more than 10 DNS lookups (each 'include' and some other mechanisms count as lookups), contains syntax errors, or has multiple SPF records. Use SPF flattening tools to reduce lookups and validate your record syntax.

No, you should only have one SPF record per domain. Multiple SPF records cause validation failures. Combine all your authorized senders into a single record using 'include' mechanisms.