Skip to main content

What is an SPF record and how do you set one up?

Published on June 17, 2026 7 min read

What is an SPF record and how does it work? Learn how an SPF record in your DNS stops spoofing and keeps your email out of the spam folder.

What is an SPF record and how do you set one up?

An SPF record is a short line in your DNS that defines which mail servers are allowed to send email on behalf of your domain. Receiving servers use that line to check whether a message really comes from you and not from a spammer abusing your domain name. In this article you will learn what an SPF record is, how it works, how to set one up yourself and which mistakes to avoid.

What is an SPF record?

SPF stands for Sender Policy Framework. It is an open standard, defined in RFC 7208, that helps prevent sender forgery (spoofing) and spam. With an SPF record you publish a list of IP addresses and servers in your DNS that are allowed to send email using your domain as the sender.

Technically, an SPF record is a specially formatted TXT record in your DNS zone. One thing is important to know: only one SPF record per domain is allowed. If there are several, the receiver cannot evaluate the check and returns an error (a PermError), and your policy no longer counts.

Why is an SPF record important?

Without sender verification, almost anyone can send email that shows your domain as the sender. That makes phishing and spoofing easy. An SPF record gives receiving mail servers a reliable way to verify that a message comes from an approved server.

SPF also plays a major role in your email deliverability. Mail servers trust authenticated messages more. If SPF is missing or set up incorrectly, your email ends up in the spam folder more quickly or gets rejected. SPF is therefore a fixed part of solid email security.

The major providers now treat it as a requirement. Since February 2024, Gmail and Yahoo require senders to have at least SPF or DKIM in place, and Microsoft followed in 2025 for Outlook and Hotmail. Bulk senders that send more than roughly 5,000 messages per day must have SPF, DKIM and DMARC all in order.

How does an SPF record work?

When a mail server receives a message, it roughly goes through these steps:

  1. The server reads the envelope sender of the message. That is the Return-Path (also called MAIL FROM), not necessarily the visible From address you see in your mail program.
  2. It looks up the SPF record in the DNS of that sender domain.
  3. It compares the IP address of the sending server with the list in the SPF record.
  4. Based on that, it returns a result, for example pass (allowed) or fail (not allowed).

Because SPF looks at the envelope sender and not at the visible From address, a sender can sometimes still forge that visible address. That is why you combine SPF with DKIM and DMARC, which do take the visible sender address into account.

What does an SPF record look like?

An SPF record is a single line of text that always begins with the version tag v=spf1, followed by one or more parts (mechanisms) and a closing all rule. A simple example:

v=spf1 ip4:192.0.2.0/24 include:_spf.example.com ~all

If you use Google Workspace for your email, for instance, the line often looks like this:

v=spf1 include:_spf.google.com ~all

Common mechanisms

Each mechanism describes a group of servers that is allowed to send. The most common ones are:

Common SPF mechanisms and their meaning
MechanismMeaning
ip4 / ip6A specific IP address or range that is allowed to send.
aThe IP addresses from the domain's A and AAAA records.
mxThe servers from the domain's MX records.
includePoints to the SPF policy of another party, for example your hosting provider or Google.
allCloses the record and decides what happens to senders that are not in the list.

The all rule: -all or ~all

For the all mechanism you add a qualifier that sets how strict you are:

  • -all (hardfail): anything not in your list fails hard and is usually rejected.
  • ~all (softfail): such messages are marked as suspicious, but usually not rejected.
  • ?all (neutral): no judgement. +all allows everyone and should never be used.

A safe approach is to start with ~all while you test, and switch to -all once you are sure your list of senders is complete.

Setting up an SPF record

You set up an SPF record in four steps:

  1. Map out which services send email on behalf of your domain: your mail server and hosting provider, but also a newsletter tool, web shop or CRM system.
  2. Build a single line that starts with v=spf1 and covers all those senders, usually with include for external services and ip4 for your own servers.
  3. Close it with ~all while testing, or with -all once you are sure the list is correct.
  4. Publish the line as a single TXT record at the root of your domain and wait for the change to spread through DNS (propagation).

Then test with a sample message to another mailbox, or with an online SPF checker, and confirm that the result is pass.

Common mistakes

A few mistakes come up often. This table helps you recognize and fix them:

Common SPF problems and solutions
ProblemCauseSolution
PermErrorMultiple SPF records on the same domain.Merge everything into one SPF record.
Too many DNS lookupsMore than ten DNS lookups in your record.Reduce the number of include, a and mx parts.
Legitimate mail failsA sender is missing from the list.Add the missing server or service.
Spoofing still possibleSPF only, without DKIM and DMARC.Set up DKIM and DMARC as well.

Pay particular attention to the limit of ten DNS lookups. The parts include, a, mx, ptr, exists and the redirect modifier all count toward it. If you go over ten, the check returns a PermError. The ptr mechanism is also discouraged because it is slow and unreliable.

SPF, DKIM and DMARC together

SPF is one of the three pillars of modern email security, but it is not a complete solution on its own. An important limitation is that SPF can fail with forwarded email: an intermediate server then sends your message from an IP address that is not in your SPF record.

That is why you complement SPF with DKIM and DMARC. DKIM adds a digital signature to your messages that survives forwarding. DMARC ties SPF and DKIM to the visible sender address and tells receivers what to do with failed checks. Many receivers also look at a correct PTR record (reverse DNS) for the sending IP address. This is separate from the ptr mechanism mentioned earlier and is in fact recommended.

With a correct SPF record you take an important first step toward reliable email and less spoofing. Combine it with DKIM and DMARC for the best protection. Still stuck? Get in touch with support.

Frequently asked questions

Is an SPF record mandatory?

It is not a legal requirement, but in practice it is almost indispensable. Major providers such as Gmail, Yahoo and Microsoft have expected senders to set up SPF since 2024 and 2025, and DKIM and DMARC as well at higher volumes. Without SPF, your email ends up in spam more quickly or gets rejected.

Can I have multiple SPF records?

No. Only one SPF record per domain is allowed. If you have several senders, merge them into one line with multiple include and ip4 parts. Multiple separate SPF records lead to a PermError, which makes the check fail.

What do ~all and -all mean?

The all rule decides what happens to senders that are not in your list. With ~all (softfail), such messages are marked as suspicious but usually still delivered. With -all (hardfail), they are rejected. Start with ~all and switch to -all once you are sure your list is complete.

What is the difference between SPF, DKIM and DMARC?

SPF defines which servers may send on behalf of your domain. DKIM adds a digital signature to your messages. DMARC ties both to the visible sender address and tells receivers what to do with failed checks. Together they form the basis of modern email security.

Why does SPF sometimes fail for forwarded email?

SPF checks the IP address of the sending server against the envelope sender. When a message is forwarded, an intermediate server sends it on, and that IP address is usually not in your SPF record. As a result, SPF can fail. DKIM and DMARC partly make up for this.

How do I check whether my SPF record is correct?

Send a sample message to another mailbox and look at the SPF result (pass or fail) in the message headers, or use an online SPF checker. If you see a PermError, that often points to multiple records or too many DNS lookups.

Prefer to talk to someone?

We are also happy to answer your questions personally. Schedule a free consultation or call us directly. We are glad to think along with you.

Stay up to date with recent developments! Subscribe and receive our newsletter Signing up... Thank you for subscribing! Something went wrong. Please try again later.