SPF (Sender Policy Framework) is a dns-txt-record published on a domain that lists which mail servers, IP ranges, or third-party providers are authorised to send email on its behalf. Receiving mail servers compare the connecting server against the record and use the result as one signal of legitimacy. SPF is defined in RFC 7208.
Why it matters
Without SPF, anyone can forge your domain in the MAIL FROM envelope and send spam or phishing that appears to come from you. That damages your sending reputation, causes legitimate mail to land in spam, and exposes your customers to fraud. Most major mailbox providers — Google, Microsoft, Yahoo — now require SPF (alongside dkim and dmarc) for bulk senders. A broken SPF record is a common cause of sudden delivery problems after switching email providers.
How to check
- Publish a single TXT record at the root of the domain, starting with
v=spf1. - Keep the record under the 10 DNS lookup limit — every
include:anda:mechanism counts; exceeding it returnspermerrorand SPF fails. - Use
~all(softfail) while rolling out so legitimate senders are not bounced; tighten to-all(hard fail) once you are confident. - Include every legitimate sender: your mail server, transactional providers, marketing tools, helpdesks, CRM.
- Verify alongside dkim and dmarc; SPF alone does not stop display-name spoofing.
- Do not publish more than one SPF record per domain — multiple records also produce
permerror.