What is SPF?
SPF (Sender Policy Framework) is a DNS record that tells email providers which servers are authorized to send emails on behalf of your domain. When someone receives an email claiming to be from your domain, their email server checks your SPF record to verify the sending server is legitimate. Without SPF, your emails are more likely to be flagged as spam.
Why SPF Matters
Email providers use SPF as a key authentication method. A proper SPF record helps:
- Reduce spam filtering: Legitimate emails pass authentication checks
- Prevent spoofing: Attackers can't easily impersonate your domain
- Improve delivery rates: Fewer emails end up in spam folders
- Build trust: Consistent authentication signals you're a legitimate sender
How SPF Works
- You publish an SPF record in your domain's DNS as a TXT record
- When an email from your domain arrives at a recipient's server, they query your DNS
- The recipient's server extracts the sending server's IP address from the email headers
- It checks the SPF record to see if that IP is authorized
- The email passes or fails SPF authentication based on the result
Setting Up an SPF Record
Step 1: Identify Your Authorized Sending Servers
Gather the IP addresses or hostnames of all servers that send email on behalf of your domain. This typically includes:
- Your hosting provider's mail server
- Third-party email services (marketing tools, form handlers, etc.)
- Your own servers if you send transactional emails
Ask your hosting provider or service for their SPF-authorized IP or hostname.
Step 2: Create Your SPF Record
SPF records use a specific syntax. A basic example:
v=spf1 ip4:192.0.2.1 include:mailprovider.com ~all
Breaking this down:
v=spf1— Version identifier (always required, must be first)ip4:192.0.2.1— Authorizes the IPv4 address 192.0.2.1include:mailprovider.com— Trusts SPF records from mailprovider.com~all— Soft fail (allows unauthorized servers but marks them suspicious); use-allfor hard fail instead
Common building blocks:
v=spf1 a mx include:example.com ip4:198.51.100.0/24 ~all
a— Authorizes the A record (IPv4) of your domainmx— Authorizes the MX record serversinclude:— Trusts the SPF record of another domainip4:— Authorizes a specific IPv4 address or CIDR rangeip6:— Authorizes a specific IPv6 address or CIDR range
Step 3: Add the Record to Your DNS
Log in to your DNS provider (often your hosting control panel):
- Navigate to DNS Records or Zone Management
- Create a new TXT record for your domain
- Enter the hostname as
@(your domain root) or leave blank - Paste your complete SPF record as the value
- Save the record
Example DNS entry:
| Type | Name | Value |
|------|------|-------|
| TXT | @ | v=spf1 ip4:192.0.2.1 include:mailprovider.com ~all |
Step 4: Verify Your Record
After adding the record, allow up to 24 hours for DNS propagation (usually much faster). To check:
nslookup -type=TXT yourdomain.com
Or use an online SPF checker tool and enter your domain.
SPF Best Practices
- Keep it simple: Avoid too many include statements (SPF has a 10-include limit per some implementations)
- Use soft fail first: Start with
~allwhile testing, switch to-allonce confident - Update when adding services: Each time you add a new email service, update your SPF record
- Monitor alignment: Your SPF domain should match the domain in your email's "From" address for best results
- Test before enforcing: Use a monitoring tool to catch any legitimate email that might fail
Common Issues
"Too many includes" — Reduce the number of include: statements by consolidating providers or removing unused ones.
"Emails still go to spam" — SPF alone isn't enough; combine it with DKIM and DMARC for stronger authentication.
"Changes aren't taking effect" — DNS changes take time to propagate worldwide. Wait 24 hours, then re-check with a DNS lookup tool.
Next Steps
Once SPF is working, add DKIM and DMARC records to your domain for even stronger email authentication and protection against spoofing.