SPF Records Guide

What Is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent email spoofing and improves deliverability.

How SPF Works

1. You publish an SPF record in your domain's DNS
2. When a receiving server gets an email from your domain, it checks the SPF record
3. If the sending server's IP matches the SPF record, the email passes SPF

Sender: [email protected]
Sending Server: 198.51.100.5

DNS lookup: example.com TXT
SPF record: "v=spf1 ip4:198.51.100.0/24 -all"

Result: PASS ✓ (IP is in the allowed range)

SPF Record Syntax

An SPF record is a TXT record in DNS. It starts with v=spf1 and contains mechanisms:

v=spf1 ip4:198.51.100.0/24 include:_spf.google.com -all
│      │                    │                        │
│      │                    │                        └─ Fail everything else
│      │                    └──────────────────────── Include Google's SPF
│      └───────────────────────────────────────────── Allow this IP range
└──────────────────────────────────────────────────── SPF version 1

Mechanisms

Qualifiers

Common Examples

Google Workspace Only

v=spf1 include:_spf.google.com -all

Google + Mailchimp

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Direct Server + Google

v=spf1 ip4:198.51.100.5 include:_spf.google.com -all

Common Mistakes

• Multiple SPF records — Only one TXT record with v=spf1 per domain
• Using +all — This allows anyone to send as your domain (defeats the purpose)
• Too many DNS lookups — SPF has a 10 DNS lookup limit (include, a, mx each count)
• Forgetting third-party senders — Marketing tools, CRMs, and transactional email services need to be included