SPF Basics

What is an SPF Record?

An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.

Beginner · 6 min read · Reviewed Jul 4, 2026

Quick answer

An SPF record is a DNS TXT record published at your domain that tells receiving mail servers which IP addresses and third-party senders are authorized to send email using your domain name. Mail servers check this record during SMTP and apply a pass, fail, softfail, or neutral result that affects deliverability and spoofing protection.

Beginner explanation

When you send email, the receiving server needs a way to verify that your message really came from your organization and not an impostor. SPF—Sender Policy Framework—answers that question by publishing a simple list of approved senders in DNS.

Think of an SPF record as a guest list at the door of every inbox. If the sending server is on the list, the message is more likely to be accepted. If it is not, the receiving server may mark the message as suspicious, quarantine it, or reject it entirely.

SPF records live in DNS as TXT records. You do not install software on your mail server to use SPF; you publish a policy that the internet can look up in seconds.

Technical explanation

Technically, an SPF record is a single TXT DNS record (or occasionally a legacy SPF-type record) containing a version tag and a set of mechanisms. A typical record begins with v=spf1 and then lists authorized sources using mechanisms such as ip4, ip6, include, a, mx, and all. Each mechanism can be prefixed with +, -, ~, or ? to indicate pass, fail, softfail, or neutral.

Receiving mail servers evaluate SPF during the MAIL FROM phase of SMTP, also called the envelope sender. They extract the domain from the envelope address, perform a DNS TXT lookup, parse the returned SPF policy, and compare the connecting IP address against the authorized list. The result is cached briefly and may influence spam scoring, DMARC alignment, and rejection decisions.

SPF records are domain-scoped, not mailbox-scoped. Authorizing mail.example.com does not automatically authorize subdomains unless you publish separate records or use mechanisms that explicitly cover them. For most organizations, the SPF record is maintained alongside MX, DKIM, and DMARC records as part of a complete email authentication stack.

Business impact

Without a correct SPF record, legitimate marketing, transactional, and employee email can be filtered or blocked because receivers cannot confirm the sender is authorized. That directly affects sales outreach, password resets, invoices, and support replies.

A broken or missing SPF record also makes domain spoofing easier. Attackers can send phishing email that appears to originate from your brand while your organization has not published any policy to stop it. That increases fraud risk, damages trust, and can trigger abuse complaints against your domain.

Common mistakes

- Publishing multiple separate SPF TXT records on the same hostname, which causes a PermError
- Copying a provider template without removing obsolete includes after switching vendors
- Forgetting that SPF authorizes envelope senders, not the visible From header address alone

How SPF Manager helps

SPF Manager reads your live DNS record and shows exactly which mechanisms are present, which providers they reference, and whether the syntax is valid. Instead of guessing what a long include chain means, you see a resolved view of authorized sources and lookup cost.

When you add or remove a mail vendor, SPF Manager helps you update the record safely, warns about duplicate SPF TXT entries, and tracks whether the published policy still matches the providers your organization actually uses.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Email Authentication

What is SPF Email Authentication?

SPF email authentication lets domain owners publish which servers may send mail using their domain, helping receivers detect spoofing.

Beginner 6 min read

DNS

TXT Records for SPF

SPF policies are published as DNS TXT records at the domain or designated subdomain used in the envelope sender.

Beginner 5 min read

Best Practices

SPF Record Validation

SPF record validation checks syntax, duplicate policies, lookup limits, and real-world resolution before you rely on a record in production.

Beginner 6 min read

SPF Basics

SPF Include Mechanism

The SPF include mechanism authorizes another domain's SPF policy as part of your own, enabling third-party senders without listing every IP.

Beginner 5 min read