What is SPF? Email Sender Policy Framework Explained
Learn how SPF records work, prevent email spoofing, and improve deliverability. Complete guide with setup examples and best practices.
SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
Think of SPF as a guest list for your domain—it tells receiving servers, "These are the only servers allowed to send email using my domain name."
How SPF Works
SPF works by publishing a list of authorized sending servers in your DNS records. Here's the process:
1. You Publish an SPF Record
You add a TXT record to your domain's DNS that lists all IP addresses and services authorized to send email from your domain.
2. An Email is Sent
When someone sends an email claiming to be from your domain, the receiving server notes the IP address of the sending server.
3. The Receiving Server Checks SPF
The receiving server looks up your domain's SPF record in DNS and checks if the sending server's IP address is listed as authorized.
4. Pass or Fail
If the IP matches, SPF passes. If not, SPF fails and the email may be flagged as spam or rejected, depending on your policy.
SPF Validates the Server, Not the Content
Unlike DKIM which validates email content, SPF only checks if the sending server is authorized. This is why using both SPF and DKIM together provides stronger authentication.
SPF Record Syntax
An SPF record is a TXT record with a specific format. Here's a typical example:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~all
# Breaking down the components:
# v=spf1 -> SPF version (always v=spf1)
# include:_spf.google.com -> Include Google's SPF record
# include:sendgrid.net -> Include SendGrid's SPF record
# ip4:192.0.2.1 -> Authorize specific IPv4 address
# ~all -> Soft fail for all othersCommon SPF Mechanisms
| Mechanism | Description |
|---|---|
| ip4:192.0.2.1 | Authorize specific IPv4 address |
| ip6:2001:db8::1 | Authorize specific IPv6 address |
| include:domain.com | Include another domain's SPF record |
| a | Authorize domain's A record IP |
| mx | Authorize domain's MX record IPs |
| ~all | Soft fail (treat others as suspicious) |
| -all | Hard fail (reject all others) |
10 DNS Lookup Limit
SPF has a hard limit of 10 DNS lookups. Each include: mechanism counts as one lookup. Exceeding this limit causes SPF validation to fail. Keep your SPF record concise and avoid excessive includes.
Why SPF Matters
Prevents Email Spoofing
SPF makes it much harder for spammers to send emails that appear to come from your domain. Only authorized servers can send on your behalf.
Improves Deliverability
Emails from domains with proper SPF records are more trusted by receiving servers, leading to better inbox placement rates.
Protects Your Domain
By specifying authorized senders, you protect your domain from being used in phishing and spam campaigns.
Required for DMARC
SPF (along with DKIM) is necessary for implementing DMARC, which provides comprehensive email authentication and reporting.
How to Set Up SPF
Identify All Email Senders
List all services and servers that send email from your domain: your email service provider, marketing tools, support systems, etc.
Gather SPF Include Values
Each email service provides SPF values to include. For example:
Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
Plunk: include:spf.useplunk.com
SendGrid: include:sendgrid.netCreate Your SPF Record
Combine all authorized senders into one SPF record:
v=spf1 include:_spf.google.com include:spf.useplunk.com ~allAdd to DNS
Add the SPF record as a TXT record in your DNS settings. The record name should be your root domain (e.g., "@" or "yourdomain.com").
Verify SPF
Use SPF validation tools to confirm your record is correct and doesn't exceed the 10 DNS lookup limit.
Plunk Handles This Automatically
When you set up a domain in Plunk, we provide the exact SPF record you need. Just copy and paste it into your DNS, and we'll verify it's working correctly.
Common SPF Mistakes to Avoid
✗ Multiple SPF Records
Never create multiple SPF TXT records. You can only have ONE SPF record per domain. Combine all authorized senders into a single record.
✗ Exceeding 10 DNS Lookups
Each include: mechanism counts toward the 10 lookup limit. Too many includes will cause SPF to fail. Consolidate where possible.
✗ Forgetting to Update SPF
When you add new email services, remember to update your SPF record. Outdated SPF records cause legitimate emails to fail authentication.
✗ Using +all
Never use +all (pass all). This completely defeats the purpose of SPF by allowing anyone to send from your domain. Always use ~all or -all.