What is SPF and how does it work?
Learn what SPF is, how SPF records work, and why SPF matters for email authentication and deliverability.
Introduction
SPF stands for Sender Policy Framework. It is a DNS-based email authentication method that lets a domain publish which servers are allowed to send email on its behalf.
When a receiving mail server gets a message, it can check the domain’s SPF record and compare the connecting source against the allowed senders listed in DNS.
What an SPF record looks like
SPF is usually published as a TXT record and starts with v=spf1.
A simple example is: v=spf1 ip4:203.0.113.10 include:spf.protection.outlook.com -all
- ip4 lets you allow a specific IPv4 address or range
- include lets you reference another domain’s SPF policy
- -all means mail not matching the policy should fail
- ~all means soft fail rather than strict fail
Why SPF matters
SPF helps receiving mail systems decide whether a sender is authorized. It is one part of a wider email authentication setup that usually also includes DKIM and DMARC.
On its own, SPF is useful, but it becomes far more effective when combined with DMARC policy and reporting.
Common SPF mistakes
- Publishing more than one SPF record
- Exceeding the 10 DNS lookup limit
- Using outdated include statements
- Leaving +all in place, which is usually unsafe