← Blog
What Is SPF (Sender Policy Framework)?

By DMARCdrift Team

What Is SPF (Sender Policy Framework)?

4 min readspfemail-authenticationdnsemail-deliverability

SPF is a DNS-based way to tell the world which servers are allowed to send email on behalf of your domain. When someone receives an email claiming to be from your domain, their mail server can check your SPF record to verify the sender's IP is actually on your allowlist.

That's it. But the details matter; especially what SPF actually protects and what it doesn't.

How SPF works

SPF lives as a TXT record at your domain root. Here's what a real one looks like:

v=spf1 include:_spf.google.com include:amazonses.com ~all

That record says: "SPF version 1 is in effect. Mail from Google's servers and Amazon SES's servers is authorized. Everything else gets a soft fail."

When a receiving mail server gets an inbound email, it does this:

  1. Extracts the envelope sender (the SMTP MAIL FROM address, also called the Return-Path). This is different from the visible From: header you see in your email client.
  2. Looks up the domain in that Return-Path and fetches the SPF record.
  3. Checks whether the sending server's IP address matches any of the mechanisms in that record.
  4. Decides what to do based on the final mechanism (~all, -all, ?all, or +all).

The critical thing: SPF validates the envelope sender domain, not the visible From: header. A phisher can put your domain in the From: field and fail SPF on a completely different domain. This is why SPF alone doesn't stop spoofing. DMARC ties the two together.

SPF mechanisms

The most common mechanisms you'll see:

include:domain.com; Delegate SPF responsibility to another domain. Commonly used with ESPs. include:_spf.google.com means "Gmail's SPF record says what IPs are allowed."

ip4:1.2.3.4; Authorize a specific IPv4 address.

ip4:1.2.3.0/24; Authorize an IP range (CIDR notation). Useful for mail servers you control.

a; Authorize the domain's A record IP. If your mail server's A record points to 5.6.7.8, that IP passes SPF.

mx; Authorize the domain's MX record IPs. If your MX points to mail.example.com, that hostname's IP passes SPF.

Each mechanism can have a prefix that changes the outcome: + (pass), - (fail), ~ (soft fail), ? (neutral). The + is default if no prefix is given.

Qualifiers: what happens when SPF fails

The last mechanism in your SPF record is critical:

~all (soft fail); "Everything else is not explicitly authorized, but I'm not sure about it yet." Deliver the message anyway, but flag it. Most people use this when getting SPF right.

-all (hard fail); "Everything else is forbidden." A receiving server may reject the message outright or quarantine it.

?all (neutral); "I have no opinion." Receiving servers will ignore SPF and check other signals.

+all (pass everything); Never use this. It defeats the entire purpose of SPF.

The DNS lookup limit

SPF has a hard limit: 10 DNS lookups per SPF check. Each include:, a, and mx mechanism costs one lookup.

Why does this matter? If you chain multiple include: statements or have complex SPF configurations, you can hit this limit. When you do, SPF evaluation stops and returns a PermError (permanent error). That's treated as SPF failure.

Example of how you'd hit the limit:

v=spf1 include:domain1.com include:domain2.com include:domain3.com include:domain4.com include:domain5.com include:domain6.com include:domain7.com include:domain8.com include:domain9.com include:domain10.com ~all

If any of those included domains have their own includes, you blow past 10 lookups. Your mail will fail SPF.

See the SPF flattening guide for how to restructure SPF records to stay under the limit.

Why SPF alone isn't enough

SPF checks the envelope sender. A phisher can send mail with their own envelope sender (so it passes their SPF) but put your domain in the From: header. A receiving server sees the legitimate From: but doesn't know the actual sender was different.

This is exactly the kind of spoofing DMARC prevents by tying the visible From: domain to either SPF or DKIM alignment.

How to check your SPF record

Use the SPF Record Checker to see what your domain's SPF configuration looks like. Paste your domain, and the tool will show you the record, parse each mechanism, and flag any issues like syntax errors or lookup count warnings.

You can also check it manually with a DNS lookup:

dig example.com TXT | grep spf

Or with nslookup:

nslookup -type=TXT example.com

Use the SPF Record Checker to validate your domain's SPF configuration right now.