SPF (Sender Policy Framework) is an email authentication method that uses DNS TXT records to define which IP addresses and mail servers are authorized to send email on behalf of your domain. When a recipient's mail server receives an email claiming to be from your domain, it checks your SPF record to verify the sender is legitimate.
How SPF Works
- You publish an SPF TXT record in your domain's DNS listing your authorized mail servers.
- A recipient's mail server receives an email from someone claiming to be from your domain.
- The recipient's server looks up your SPF record and checks if the sending IP is listed.
- If the IP is listed, SPF passes. If not, it fails, and the email may be rejected or marked as spam.
SPF Record Format
| Mechanism | Meaning | Example |
|---|---|---|
| ip4: | Specific IPv4 address or range | ip4:192.0.2.1 |
| include: | Include another domain's SPF | include:_spf.google.com |
| a | Allow the domain's A record IP | a:mail.example.com |
| mx | Allow the domain's MX server IPs | mx |
| -all | Hard fail (reject everything else) | Use at end of record |
| ~all | Soft fail (mark as suspicious but accept) | Use during testing |
Example SPF Record
v=spf1 include:_spf.google.com include:mailchimp.com ip4:203.0.113.5 -all
This allows Google Workspace, Mailchimp, and one specific IP to send email. Everything else is hard-failed.
People Also Ask
- What does SPF do for emails?
- It prevents unauthorized servers from sending email that appears to come from your domain (email spoofing). Without SPF, anyone can send email claiming to be from [email protected].
- Why did SPF cause my mail to be rejected?
- Your sending server's IP is not listed in your SPF record, or you have too many DNS lookup mechanisms (SPF limit is 10). Use our DNS Lookup to view your current SPF record.
Related: DKIM | DMARC | DNS Lookup