What is SPF?

How SPF works

SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorised to send email for your domain. When a receiving server gets a message, it checks the SPF record and compares it to the sending server's IP address.

SPF operates at the envelope sender level — the MAIL FROM address used during the SMTP session — not necessarily the From: header the recipient sees.

What an SPF record looks like

An SPF record is published as a TXT record at your domain root. A typical record looks like: v=spf1 include:_spf.google.com include:sendgrid.net -all

The v=spf1 tag identifies it as an SPF record. include: mechanisms authorise third-party senders. The -all at the end (hardfail) means any server not listed should be rejected. The ~all (softfail) variant is less strict.

Common SPF problems

Multiple SPF records. Your domain can only have a single v=spf1 TXT record. Having more than one causes SPF to fail for all senders.

+all (allow all). This disables SPF protection by authorising every server to send on your behalf.

Too many DNS lookups. SPF limits include, a, mx, ptr, and exists mechanisms to 10 DNS lookups. Exceeding this causes a permerror and SPF failure.

How SPF affects email deliverability

Without SPF, anyone can forge your domain in the envelope sender. Receiving servers use SPF as one of several signals in spam scoring. Missing or broken SPF increases the risk of your email going to spam or being rejected outright.

SPF alone is not sufficient. It can be bypassed by spoofing the visible From: header. SPF is most effective when combined with DKIM and a DMARC policy.

How to check your SPF record

Use MXFend's free SPF Checker to instantly validate your SPF record. The checker detects missing records, multiple records, dangerous +all and ?all mechanisms, and other common configuration problems.