SPF — Sender Policy Framework

What is SPF

SPF (Sender Policy Framework) is one of the three core email authentication standards. It lets you declare, via a DNS TXT record, which mail servers (IP addresses) are authorised to send email on behalf of your domain. When a mail server receives a message, it queries the SPF record of the domain in the "From" field and checks whether the sending IP is on the list. If not, the message may be considered spoofed.

How it works

SPF is published as a TXT record at the apex of your domain. The receiving server performs a DNS query, reads the SPF record, retrieves the list of permitted IPs (directly or via include:), and compares it against the IP that delivered the email.

• + or nothing — Pass (allowed)
• ~ — SoftFail (possibly suspicious, but accept it)
• - — Fail (reject it)
• ? — Neutral (no opinion expressed)

Example SPF record

example.com.   IN  TXT  "v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.5 ~all"

This means:

• Accept Google Workspace servers as legitimate
• Accept Mailgun servers
• Accept the IP 203.0.113.5
• Anyone else → SoftFail (~all)

Common mistakes

• Multiple SPF records on the same domain — forbidden by the standard. Merge them.
• More than 10 DNS lookups (via include:, a:, mx:) — causes a PermError and is treated as a fail.
• Using +all — allows the entire internet to send on your behalf. Never use this.
• Missing SPF — mail servers have no way to know who is a "legitimate" sender → lower deliverability.

SPF alone is not enough. It should always be combined with DKIM and DMARC for complete protection.