What is SPF (Sender Policy Framework)? | Email Verification & Deliverability Glossary

Definition

An authentication protocol specifying authorized sending servers for a domain.

Expanded Explanation

What Is SPF?

SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on their behalf. Published as a TXT record in DNS, the SPF record tells receiving mail servers: "Only accept email from this domain if it comes from one of these IP addresses or server hostnames. If it comes from anywhere else, treat it with suspicion." SPF is one of the three core email authentication standards alongside DKIM and DMARC.

How SPF Works

When a receiving mail server gets an incoming message, it checks the envelope sender domain (the Return-Path or MAIL FROM domain) against the domain's SPF record. The SPF record lists authorized sending sources — IP addresses, IP ranges, and "include" directives that reference other domains' SPF records. If the sending IP matches an authorized source, SPF passes. If it doesn't match, SPF fails (or "softfails" with ~all, meaning suspicious but not rejected). The result is recorded in the Authentication-Results header.

SPF Record Syntax

An SPF record looks like: v=spf1 include:mailplatform.com ip4:203.0.113.0/24 -all. Breaking this down: v=spf1 identifies it as an SPF record. include:mailplatform.com authorizes all IPs in the mailplatform.com SPF record. ip4:203.0.113.0/24 authorizes a specific IP range. -all (hard fail) means reject mail from any source not listed above. ~all (soft fail) means treat non-listed sources as suspicious but don't necessarily reject. ?all (neutral) and +all (allow all) are generally inappropriate for security-conscious senders.

The 10-Lookup Limit

SPF evaluation is limited to 10 DNS lookups. Each include:, a:, mx:, exists:, and redirect: mechanism counts as one lookup. Many senders exceed this limit by adding multiple ESPs, CRMs, and sending services to their SPF record without consolidating them. When the limit is exceeded, SPF fails with a "permerror" — effectively the same outcome as having no SPF record. Regularly audit your SPF record and consolidate or remove unused sending services to stay within the limit.

Checking and Setting Up SPF

Use EmailVerify.io's free SPF Checker at emailverify.io/tools/spf-checker to inspect your current SPF record and identify potential issues. The SPF Generator at emailverify.io/tools/spf-generator helps you build a correctly formatted SPF record ready to publish in DNS. Regular SPF audits are important — every time you add a new sending service (new ESP, CRM email feature, support platform), you need to update your SPF record.

SPF and Email Forwarding

SPF has a well-known limitation: it breaks with email forwarding. When someone forwards your email to a different address, the forwarding server re-sends the message — but now the sending IP is the forwarding server, not your authorized SPF server. This causes SPF to fail even though the email is entirely legitimate. DMARC mitigates this because DKIM-based alignment doesn't break on forwarding. This is why DKIM alignment is often more reliable than SPF alignment for DMARC compliance.