SpoofCheck
Guides/SPF

SPF (Sender Policy Framework): The Complete Guide

Everything you need to know about SPF records to protect your domain against email spoofing.

What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol defined in RFC 7208. It allows a domain owner to specify which mail servers are authorized to send emails on behalf of their domain.

In practice, SPF works through a DNS TXT record. When a mail server receives an email claiming to come from your domain, it checks this record to verify whether the sending server is authorized. If it is not, the email can be rejected or flagged as suspicious.

Without SPF, anyone can send an email pretending to be from your domain. This is known as email spoofing, a technique widely used in phishing attacks. SPF is therefore the first line of defense against this type of impersonation.

SPF alone is not enough: it must be combined with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication) for complete domain protection.

How does SPF work?

SPF works through a multi-step verification process when an email is received:

  1. Email sending — A mail server sends an email with your domain in the sender address (the MAIL FROM field of the SMTP envelope).
  2. DNS query — The receiving server extracts the domain from the MAIL FROM address and queries DNS to retrieve the associated SPF (TXT) record.
  3. IP comparison — The receiving server compares the sending server's IP address against the list of authorized IPs and mechanisms in the SPF record.
  4. Verdict — Based on the result, the receiving server takes action: accept (pass), reject (fail), flag as suspicious (softfail), or treat as neutral (neutral).

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all

Each element has a specific meaning:

  • v=spf1— Indicates this is an SPF version 1 record (required).
  • include:— Authorizes the servers defined in another domain's SPF record (e.g., Google, SendGrid).
  • ip4:— Authorizes a specific IPv4 address or address block.
  • -all— Rejects all servers not explicitly authorized (hard fail).
  • ~all— Flags as suspicious without rejecting (soft fail) — less strict.

How to configure SPF step by step

Step 1: Identify your sending servers

List all the services that send emails on behalf of your domain. This typically includes:

  • Your email provider (Google Workspace, Microsoft 365, etc.)
  • Your email marketing tools (Mailchimp, Brevo, SendGrid, etc.)
  • Your web application if it sends transactional emails
  • Any other third-party services (CRM, helpdesk, etc.)

Step 2: Build your SPF record

Always start with v=spf1 and end with a -all or ~all mechanism. In between, add your authorized servers. Example for Google Workspace + Brevo:

v=spf1 include:_spf.google.com include:sendinblue.com -all

Step 3: Add the record to your DNS

Log in to the DNS management interface of your registrar or hosting provider (Cloudflare, GoDaddy, Namecheap, etc.) and create a TXT record:

  • Type: TXT
  • Name / Host: @ (or leave blank depending on the provider)
  • Value: your complete SPF record
  • TTL: 3600 (1 hour) or the default value

Step 4: Verify your configuration

After DNS propagation (a few minutes to 48 hours), test your SPF record. You can use our free verification tool to validate that everything is working correctly.

Common mistakes to avoid

1. Exceeding the 10 DNS lookup limit

The SPF specification enforces a maximum of 10 DNS lookups (include, a, mx, redirect). Each include can itself contain other includes. Exceed this limit and your SPF will automatically become invalid with a permerror result.

2. Having multiple SPF records

A domain must have only one SPF record. If you have multiple records, verification will fail. Merge all your mechanisms into a single TXT record.

3. Using +all instead of -all or ~all

The +all mechanism authorizes all servers to send emails for your domain, which effectively provides no protection at all. Always use -all (hard fail) for maximum protection.

4. Forgetting a sending service

If you forget to include a legitimate service (for example, your newsletter tool), its emails will be rejected or sent to spam. Do a complete inventory before configuring your SPF.

5. Not configuring DKIM and DMARC as well

SPF alone is insufficient. Without DKIM and DMARC, an attacker can still bypass SPF by using an envelope domain different from the visible domain in the "From" header.

Frequently asked questions about SPF

Is SPF enough to protect my domain against spoofing?

No. SPF only verifies the envelope address (MAIL FROM), not the address displayed to the recipient (the "From" header). An attacker can bypass SPF by using a different envelope domain. That is why you must combine SPF with DKIM and DMARC for complete protection.

What happens if I exceed the 10 DNS lookups?

If your SPF record requires more than 10 DNS lookups, the result will be a permerror (permanent error). Receiving servers will then treat your SPF as if it did not exist. To stay under the limit, you can replace some include directives with direct IP addresses or use an SPF flattening service.

What is the difference between -all and ~all?

-all (hard fail) indicates that emails from unauthorized servers should be rejected. ~all (soft fail) indicates they should be accepted but flagged as suspicious. In practice, with a proper DMARC policy, the difference is minimal. However, -all is recommended for maximum security.

Check your domain for free

Test your SPF, DKIM, and DMARC configuration in one click. Our tool analyzes your domain and tells you exactly what needs to be fixed.

Test my domain

Related guides

DKIM Guide

Learn how to configure DKIM signatures to authenticate your emails.

DMARC Guide

Discover how DMARC orchestrates SPF and DKIM for complete protection.