Home/Guides/SPF Best Practices
SPF Configuration

SPF Best Practices

Optimize your SPF records for maximum security and deliverability. Expert strategies for qualifiers, lookup management, and long-term maintenance.

9 min read
Best Practices

1. Use the Right "all" Qualifier

The all qualifier determines what happens to emails that don't match your SPF record. Choosing the right one is critical for security and deliverability.

-all (Fail)

v=spf1 include:_spf.google.com -all

Recommended for production. Rejects unauthorized emails outright.

Maximum security
Prevents domain spoofing
Can block legitimate email if misconfigured

~all (SoftFail)

v=spf1 include:_spf.google.com ~all

Recommended for testing. Marks unauthorized emails as suspicious but delivers them.

Safe for initial deployment
Won't block legitimate email
Less protection against spoofing
?

?all (Neutral)

v=spf1 include:_spf.google.com ?all

Not recommended. Provides no guidance to receiving servers.

No protection
Same as having no SPF

+all (Pass)

v=spf1 include:_spf.google.com +all

NEVER use. Allows anyone to send email from your domain.

Security vulnerability
Enables domain spoofing
Recommendation

Start with ~all for 2-4 weeks to test, then move to -all for production security.

2. Stay Under 10 DNS Lookups

The 10 lookup limit is strictly enforced. Exceeding it causes PermError and email delivery failures.

Quick Checklist:

Count nested includes: Google = 3 lookups, Microsoft = 2, SendGrid = 1
Remove unused mechanisms: Delete mx, a, or old ESP includes
Use ip4:/ip6: when possible: Static IPs don't count as lookups
Leave headroom: Target 7-8 lookups max, not 10

3. Use Subdomains Strategically

Separate different email types across subdomains to isolate lookup counts and improve organization.

Recommended Subdomain Strategy:

example.comPrimary domain

Corporate email (Google Workspace, Microsoft 365)

v=spf1 include:_spf.google.com -all

3 lookups

marketing.example.comMarketing subdomain

Marketing emails (SendGrid, Mailchimp)

v=spf1 include:sendgrid.net include:servers.mcsv.net -all

2 lookups (isolated)

app.example.comApp subdomain

Transactional emails (Postmark, AWS SES)

v=spf1 include:spf.mtasv.net include:amazonses.com -all

2 lookups (isolated)

Benefit: Each subdomain has its own 10 lookup limit. Total capacity: 30+ lookups across all domains.

4. Keep SPF Records Simple and Readable

Good Example

v=spf1 include:_spf.google.com include:sendgrid.net -all
  • Clear and concise
  • Only necessary mechanisms
  • Easy to audit

Bad Example

v=spf1 mx a include:_spf.google.com include:old-esp.com include:unused.net ip4:192.0.2.1 ip4:192.0.2.2 ~all
  • Cluttered and long
  • Unused mechanisms (mx, a, old ESPs)
  • Hard to maintain

5. Document Your SPF Configuration

Maintain documentation of your SPF setup for easier troubleshooting and team handoffs.

What to Document:

Current SPF Record
v=spf1 include:_spf.google.com include:sendgrid.net -all

Last updated: 2025-01-15 | DNS Lookups: 4/10

Email Service Providers
  • • Google Workspace - include:_spf.google.com (3 lookups)
  • • SendGrid - include:sendgrid.net (1 lookup)
Change History
  • • 2025-01-15: Removed Mailchimp (no longer used)
  • • 2024-12-01: Added SendGrid for marketing
  • • 2024-10-10: Moved to -all from ~all (production ready)

6. Monitor SPF Performance Regularly

Monthly Checklist:

Check DNS lookup count

ESPs can add nested includes without notice

Review DMARC aggregate reports

Identify SPF failures and unauthorized senders

Test email delivery

Send test emails from all services to major providers

Audit authorized senders

Remove unused ESPs and old includes

Common SPF Mistakes to Avoid

Multiple SPF Records

Only one SPF record allowed per domain. Multiple records cause PermError.

Using mx or a Without Need

Most organizations don't send email from web/mail servers. Remove these to save lookups.

Forgetting Subdomains

Subdomains need their own SPF records or inherit parent domain policy.

Not Testing Before Production

Always start with ~all for 2-4 weeks to catch issues before enforcing -all.

Exceeding 255 Characters

SPF records have a 255-character limit per string. Use subdomains if you hit this limit.

Related Guides

SPF Record Basics

Learn SPF syntax and mechanisms

Read guide

SPF 10 DNS Lookup Limit

Fix PermError and reduce lookups

Read guide

SPF Include Chains

Managing complex SPF setups

Read guide

Optimize Your SPF Configuration

Use our free SPF checker to validate your record against these best practices, or let our platform manage SPF optimization automatically.

Free SPF Tools

SPF Record Checker

Validate syntax and lookup count

SPF Record Generator

Create optimized SPF records

DMARC XML Converter

Monitor SPF pass rates