SPF Sender Policy Framework

Protect your domain against email identity spoofing.

SPF (Sender Policy Framework) is an email authentication mechanism that specifies which servers are authorized to send emails for your domain. Without SPF, anyone can send emails pretending to be you - this is the principle of email spoofing used in phishing attacks.

When a mail server receives an email supposedly from your domain, it checks your SPF record in DNS. If the sending server isn't in the authorized list, the email is marked as suspicious or rejected according to your defined SPF policy.

A properly configured SPF significantly improves the deliverability of your legitimate emails while protecting your domain reputation against spoofers. It's the first building block of email authentication, complemented by DKIM and DMARC.

How SPF Works

SPF defines an authorization policy for sending emails:

  • TXT record: SPF is published as a DNS TXT record starting with v=spf1. It lists servers and IPs authorized to send for the domain.
  • Mechanisms: SPF uses mechanisms like ip4:, include:, a:, mx: to define authorized sources. Each mechanism can have a qualifier (+, -, ~, ?).
  • Sequential evaluation: Mechanisms are evaluated left to right. The first match determines the result (pass, fail, softfail, neutral).
  • Final policy: The record ends with all with a qualifier: -all (hard fail), ~all (soft fail), or ?all (neutral). -all is recommended.

Why SPF is Essential

SPF protects your domain and improves deliverability:

  • Anti-spoofing: Prevents attackers from sending fraudulent emails appearing to come from your domain. Protects your customers and partners.
  • Deliverability: Emails from domains with valid SPF have better chances of reaching the inbox rather than spam.
  • Reputation: A domain without SPF is suspicious. Email providers penalize domains that don't protect against spoofing.
  • Compliance: Many security policies and regulations require SPF as a minimum email protection measure.

How to Configure SPF

Follow these steps to create your SPF record:

  1. Inventory sources: List all servers and services that send emails for your domain: main email server, Gmail/O365, marketing services, etc.
  2. Build the record: Start with v=spf1, add mechanisms for each source (include:, ip4:, etc.), and end with -all or ~all.
  3. Publish in DNS: Create a TXT record for your root domain (@) with the complete SPF value.
  4. Test and validate: Use tools like MXToolbox SPF checker to validate syntax and test email sending.

SPF Configuration Examples

Here are common SPF examples:

; Basic SPF - own server only
example.com. IN TXT "v=spf1 ip4:192.0.2.1 -all"

; SPF with Gmail/Google Workspace
example.com. IN TXT "v=spf1 include:_spf.google.com -all"

; SPF with Microsoft 365
example.com. IN TXT "v=spf1 include:spf.protection.outlook.com -all"

; Multi-source SPF (Gmail + Mailchimp + own server)
example.com. IN TXT "v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:192.0.2.1 -all"

; SPF verification
$ dig example.com TXT +short | grep spf
"v=spf1 include:_spf.google.com -all"

; Test with nslookup
$ nslookup -type=txt example.com

v=spf1 is mandatory at the start. include: delegates verification to another domain. ip4:/ip6: authorizes specific addresses. -all rejects everything else (recommended).

SPF Best Practices

Optimize your SPF configuration:

  • Use -all: Always end with -all (hard fail) rather than ~all. This indicates a strict policy and improves protection.
  • Limit lookups: SPF has a 10 DNS lookup limit. Each include: counts. Consolidate if necessary to stay under the limit.
  • Monitor with MoniTao: Monitor your SPF record to detect unauthorized modifications that could facilitate spoofing.
  • Complete with DKIM/DMARC: SPF alone isn't enough. Add DKIM for cryptographic signing and DMARC for enforcement policy.

SPF Checklist

  • All email sending sources inventoried
  • SPF record created with v=spf1
  • Ended with -all (hard fail)
  • Less than 10 DNS lookups
  • Syntax validated with a tool
  • SPF monitoring enabled

Frequently Asked Questions - SPF

What's the difference between -all, ~all, and ?all?

-all = hard fail (reject), ~all = soft fail (mark suspicious), ?all = neutral (ignore SPF). Use -all for maximum protection once you're sure all sources are listed.

What does "too many DNS lookups" mean?

SPF limits to 10 DNS resolutions (include:, a:, mx:). Beyond that, SPF fails with "permerror". Reduce includes or use ip4:/ip6: directly.

Can I have multiple SPF records?

No! A domain must have only one SPF record. Multiple SPFs cause a "permerror" error. Consolidate everything into a single record.

Does SPF protect against phishing?

SPF helps but isn't enough. It checks the SMTP envelope (envelope from), not the visible From header. DMARC aligns both for complete protection.

My email goes to spam despite valid SPF, why?

SPF is just one factor. Email content, IP reputation, DKIM/DMARC, sending history also influence. Check headers for diagnosis.

Should I include my cloud provider IPs?

Use include: to their SPF domain rather than IPs directly. That way, if their IPs change, your SPF remains valid.

Protect Your Email with SPF

SPF is the first line of defense against email identity spoofing. By clearly defining who can send emails for your domain, you protect your reputation and your recipients against phishing.

Configure SPF correctly, monitor it with MoniTao, and complete your protection with DKIM and DMARC. Complete email authentication is essential in today's threat environment.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing