/Guides/SPF Record Basics
Getting Started

SPF Record Basics: Authorize Your Mail Servers

SPF (Sender Policy Framework) tells email receivers which servers are authorized to send email for your domain. Learn how SPF works, basic syntax, and how to create your first SPF record.

SPF in Simple Terms

SPF is a whitelist of authorized mail servers for your domain. It's a DNS record that says "only these IP addresses can send email as @yourdomain.com".

Bottom Line: SPF prevents spammers from forging your domain by listing approved senders.

How SPF Works

1

Email Sent

Someone sends an email claiming to be from you@yourdomain.com from IP address 192.0.2.100

2

SPF Lookup

Receiving server checks DNS for your SPF record at yourdomain.com

3

Verification

If 192.0.2.100 is in your SPF record → ✓ SPF pass (authorized)
If not in your SPF record → ✗ SPF fail (unauthorized)

SPF Record Syntax

Basic Structure

v=spf1 ip4:192.0.2.0 include:_spf.google.com ~all

v=spf1

SPF version (always v=spf1)

ip4:192.0.2.0

Authorize specific IPv4 address

include:_spf.google.com

Include another domain's SPF record (for Google Workspace)

~all

Soft fail for everything else (recommended for testing)

Common Mechanisms

ip4:192.0.2.0/24

Authorize IPv4 address or range

ip6:2001:db8::1

Authorize IPv6 address

include:_spf.example.com

Include another SPF record (for ESPs)

mx

Authorize servers in MX records

a

Authorize domain's A record IP

Qualifiers (All Tag)

~all (SoftFail)

Recommended for testing - accept but mark as suspicious

-all (Fail)

Recommended for production - reject unauthorized senders

?all (Neutral)

No policy - not recommended

+all (Pass)

Allow all - NEVER use this!

Real-World Examples

Google Workspace Only

v=spf1 include:_spf.google.com ~all

For companies using only Google Workspace for email

Microsoft 365 + Marketing Platform

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all

Microsoft 365 + Mailchimp email sending

Multiple Services + Own Server

v=spf1 ip4:192.0.2.0 include:_spf.google.com include:sendgrid.net -all

Own mail server + Google Workspace + SendGrid with strict policy

Important Limits

10 DNS Lookup Limit
SPF has a hard limit of 10 DNS lookups. Each include: counts as one lookup. Exceeding this causes SPF PermError and authentication failure. Use SPF Surveyor to check your lookup count.

Related Guides

Email Authentication

How SPF fits with DKIM and DMARC

SPF Include Chains

Managing multiple includes

SPF Lookup Limit

Fix PermError issues

Automated SPF Management

TrustYourInbox automatically configures SPF for all your email services and keeps it updated.

Free SPF Tools

SPF Surveyor

Check SPF record and lookup count

Domain Security Checker

Verify SPF, DKIM, DMARC

DMARC Generator

Create DMARC policy (requires SPF)