What Is an SPF Record? Syntax, Mechanisms, and Limits

SPF, or Sender Policy Framework, is a DNS-based email authentication standard. It lets a domain owner publish which servers or services are authorised to send mail for that domain.

The SPF policy is usually stored in a TXT record at the root domain. When a receiving mail server evaluates SPF, it compares the sending IP address with the rules defined in that record.

SPF on its own is helpful, but it becomes much more powerful when used with DKIM and DMARC.

example.com. 3600 IN TXT "v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com -all"

This example authorises one IPv4 address directly, imports Microsoft's published sending policy, and tells receivers to fail mail from anything else.

• ip4: allows a specific IPv4 address or range
• ip6: allows a specific IPv6 address or range
• a: allows the addresses returned by the domain's A or AAAA records
• mx: allows the hosts listed in the domain's MX records
• include: imports another domain's SPF policy
• all: matches everything not matched earlier in the record

Mechanisms are evaluated left to right. Good SPF design keeps the record intentional and easy to maintain, rather than continuously adding services without review.

• -all means a hard fail for anything not explicitly allowed
• ~all means a soft fail and is often used during earlier deployment stages
• ?all means neutral and offers little protection
• +all allows everything and should almost never be used

For most mature deployments, the key decision is usually whether the record is ready for ~all or -all. That depends on whether every legitimate sender has been accounted for.

SPF has a strict lookup limit. During evaluation, the receiver must not follow more than ten DNS lookups caused by include, a, mx, redirect, or related mechanisms. Complex records can exceed that limit and produce SPF permerror results.

SPF also checks the envelope sender domain, not the visible From domain. That is why DMARC alignment matters so much for anti-spoofing controls.

• Forgetting to include a legitimate email provider or marketing platform
• Publishing multiple SPF TXT records for the same hostname
• Using too many nested include statements and exceeding the ten-lookup limit
• Leaving +all or ?all in place and assuming the record is protective
• Treating SPF pass as enough without checking DMARC alignment

• What Is SPF?
• How to Check if SPF Is Too Complex
• How to Troubleshoot SPF Failures

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• SPF Checker
• SPF Flattener
• Email Security Check