DNS SPF Record

What is a SPF Record?

SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. An SPF record is published as a DNS TXT record at the domain's root and is checked by receiving mail servers to verify that incoming email from the domain was sent from an authorized server.

When a mail server receives an email, it checks the SPF record of the sender's domain by performing a DNS TXT lookup. The SPF record contains a list of authorized IP addresses, IP ranges, and hostnames. If the sending server's IP matches one of the authorized sources, the SPF check passes. If not, the SPF check fails, and the receiving server may reject the message, mark it as spam, or accept it depending on the SPF qualifier and the server's configuration.

SPF uses several mechanisms to define authorized senders: 'ip4' and 'ip6' for specific addresses, 'a' for the domain's A record, 'mx' for the domain's MX servers, 'include' for third-party services, and 'all' as a catch-all. The qualifier prefix (+, -, ~, ?) determines what happens when a mechanism matches. SPF has a 10-DNS-lookup limit to prevent abuse, so complex configurations must be carefully optimized.

Syntax & Examples

An SPF record is a TXT record at the domain root:

example.com.    3600    IN    TXT    "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all"

Key components: v=spf1 (version identifier, required), ip4:/ip6: (authorized IP ranges), a (domain's own A record), mx (domain's MX servers), include: (third-party sender policies), and the 'all' mechanism with a qualifier: -all (hard fail — reject unauthorized), ~all (soft fail — accept but mark), ?all (neutral), +all (allow all — never use this). A comprehensive example:

example.com.    3600    IN    TXT    "v=spf1 mx a ip4:203.0.113.0/24 include:_spf.google.com include:amazonses.com ~all"

How to Query SPF Records

To query SPF records using dig, run: dig example.com TXT and look for entries starting with v=spf1. For concise output: dig +short example.com TXT | grep spf. Since SPF records are stored as TXT records, you query the TXT type. To follow include mechanisms: dig +short _spf.google.com TXT to see Google's SPF includes.

With nslookup, use: nslookup -type=TXT example.com. On Windows PowerShell: Resolve-DnsName -Name example.com -Type TXT | Where-Object Strings -match 'spf'. To validate your SPF record syntax and check for common issues (like exceeding the 10-lookup limit), use online SPF validation tools. Remember that each 'include', 'a', 'mx', and 'redirect' mechanism counts toward the 10-lookup limit.

Related Record Types

Frequently Asked Questions

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the IP addresses and servers authorized to send email for your domain. Receiving mail servers check this record to verify that incoming email claiming to be from your domain was actually sent from an authorized source.

What is the difference between -all and ~all?

'-all' (hard fail) instructs receivers to reject any email not from an authorized source. '~all' (soft fail) means unauthorized email should be accepted but flagged as suspicious. Use '~all' during initial setup to avoid accidentally blocking legitimate mail, then switch to '-all' once you've verified all senders.

What is the 10-DNS-lookup limit?

SPF has a maximum of 10 DNS lookups per evaluation to prevent denial-of-service attacks. Each 'include', 'a', 'mx', 'ptr', and 'redirect' mechanism counts as one lookup. Exceeding this limit causes a permanent error (PermError), effectively breaking your SPF. Use 'ip4'/'ip6' mechanisms (which don't count) to stay under the limit.

Can I have multiple SPF records?

No, a domain must have only one SPF record (TXT record starting with v=spf1). Having multiple SPF records causes a PermError and SPF checks will fail. If you need to authorize multiple senders, combine them into a single record using include: and ip4:/ip6: mechanisms.

How do I add a third-party sender to my SPF record?

Add an 'include:' mechanism referencing the third-party's SPF domain. For example, for Google Workspace add 'include:_spf.google.com', for SendGrid add 'include:sendgrid.net', for Mailchimp add 'include:servers.mcsv.net'. Always check the provider's documentation for the correct include value.