DNS

TXT Records for SPF

SPF policies are published as DNS TXT records at the domain or designated subdomain used in the envelope sender.

Beginner · 5 min read · Reviewed Jul 4, 2026

Quick answer

SPF policies are stored in DNS as TXT records, typically at the domain used in the SMTP envelope sender. Receivers query TXT records for that domain and select the record starting with v=spf1. Multiple TXT strings may be returned, but publishing more than one SPF policy on the same name causes PermError. Correct TXT formatting and hostname choice are foundational to working SPF.

Beginner explanation

DNS TXT records are multi-purpose text containers. For email authentication, they hold machine-readable policies like SPF, and receivers know to look for a string that starts with v=spf1.

Publishing SPF in the wrong place is one of the most common setup errors. The record must live on the domain that appears in the envelope sender—the technical return-path address—not necessarily the friendly From address users see in their inbox.

TXT records are also subject to DNS length limits. Long policies may need to be split across multiple strings in a single TXT record set, which is valid as long as only one SPF policy exists on that name.

Technical explanation

Receivers perform a DNS TXT query on the domain extracted from the MAIL FROM address. If the header From domain differs and no Sender header is present, SPF still evaluates the envelope domain. This distinction is critical when marketing tools use bounce domains like em.example.com.

The SPF specification requires that a domain publish at most one SPF record. In practice, that means one logical v=spf1 policy per hostname. If two separate TXT records each contain v=spf1, compliant receivers return PermError.

TXT records can exceed 255 characters by splitting the value into multiple quoted strings within one TXT RRset. DNS operators should avoid inserting line breaks or unescaped quotes. After publishing, use a resolver that shows the complete concatenated string to verify what receivers will parse.

Business impact

TXT misplacement causes SPF to fail even when the policy text itself is perfect. Teams may approve a record in a dashboard that never gets queried in production because SMTP uses another hostname.

Duplicate SPF TXT records create intermittent authentication results across resolvers and receivers, making DMARC reports noisy and undermining confidence in security monitoring.

Common mistakes

- Placing the SPF TXT record on the marketing From domain while mail uses a different bounce domain
- Creating a new TXT record instead of editing the existing SPF entry, resulting in duplicates
- Exceeding DNS provider field length limits without splitting strings correctly

How SPF Manager helps

SPF Manager identifies which hostnames your domain uses for sending and verifies TXT records on each relevant name. It flags duplicate v=spf1 entries and shows the exact string receivers retrieve.

Before you publish, the tool validates syntax and length constraints so your TXT record survives real-world DNS hosting limits.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

SPF Basics

What is an SPF Record?

An SPF record is a DNS TXT entry that lists which mail servers are allowed to send email on behalf of your domain.

Beginner 6 min read

Best Practices

SPF Record Validation

SPF record validation checks syntax, duplicate policies, lookup limits, and real-world resolution before you rely on a record in production.

Beginner 6 min read

DNS

DNS Propagation and SPF

DNS propagation delays can cause temporary SPF failures after you publish or update TXT records.

Beginner 5 min read

Email Authentication

What is SPF Email Authentication?

SPF email authentication lets domain owners publish which servers may send mail using their domain, helping receivers detect spoofing.

Beginner 6 min read