ipdetecto.com logo
ipdetecto.com
My IPSpeed
Knowledge Hub
HomeKnowledge HubUnderstanding Spf
© 2026 ipdetecto.com
support@ipdetecto.comAboutContactPrivacyTermsllms.txt
Corporate
5 MIN READ
Apr 18, 2025

Understanding SPF (Sender Policy Framework): Who Can Send Your Mail?

SPF is a DNS TXT mechanism (RFC 7208) that lists which hosts may use your domain in MAIL FROM. Learn mechanisms, qualifiers, DNS lookups, and why SPF alone never proves From: header alignment.

What SPF actually authorizes

SPF (Sender Policy Framework), standardized in RFC 7208, publishes a DNS TXT record at the domain (or HELO name) that describes which IPv4/IPv6 addresses and delegated includes are permitted to appear in the SMTP envelope sender (MAIL FROM) for that domain. Receivers perform a DNS tree walk: mechanisms such as ip4:, ip6:, a, mx, and include: are evaluated left to right until a mechanism matches the connecting client IP, producing a pass, or the list ends.

SPF does not cryptographically sign message bodies and does not directly validate the visible From: header users see—that alignment is handled by DMARC when combined with DKIM or SPF domain alignment. Treating SPF as a complete anti-phishing solution is a common architectural mistake.

Mechanisms, qualifiers, and the all terminator

A typical record: v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -all. The v=spf1 sentinel identifies SPF. Each mechanism may carry a qualifier: + pass (default), - fail, ~ softfail, ? neutral. The all mechanism matches any address and should appear last; most receivers stop evaluation at the first match, so order matters for performance and security.

  • include: dereferences another domain’s SPF record and inherits its evaluation (counts toward the DNS lookup limit of 10 total queries per RFC 7208).
  • redirect= (modifier) changes the domain whose record is evaluated—use sparingly; misconfiguration loops break mail.
  • exists:%{i}.example.com and macros exist for advanced policy but increase complexity and lookup cost.

DNS limits and operational pitfalls

Exceeding 10 DNS lookups during SPF evaluation causes a permerror, which many large receivers treat like a fail. Chaining many include: ESPs quickly hits the cap—flatten critical includes to ip4/ip6 blocks via automation if your architecture requires it, and monitor ESP IP changes.

Multiple SPF TXT records for the same name also yield permerror: there must be exactly one SPF TXT per applicable DNS owner name. Merge vendors into a single record.

SPF + mailing lists: forwarding breaks SPF alignment because the envelope sender often becomes the list’s domain while the body still shows the original author—this is why DKIM + DMARC alignment matters for indirect mail paths.

Sample policies

Strict reject for anything not explicitly listed: v=spf1 ip4:198.51.100.10 -all. Soft signal while monitoring: v=spf1 include:_spf.example.net ~all. Prefer tightening to -all once logs show no legitimate stray sources.

Verification workflow

Use dig TXT example.com or your DNS provider UI to confirm a single TXT beginning with v=spf1. Then send a test message through each outbound path (Google Workspace, marketing ESP, ticket tool) and inspect Authentication-Results headers on a mailbox you control. Pair SPF with DKIM and DMARC; follow the combined SPF/DKIM/DMARC setup guide for rollout order.

Confirm the public egress IPs your MTAs use before encoding them in SPF.

Frequently Asked Questions

Q.Can I have multiple SPF records?

No. Multiple SPF TXT records for the same DNS owner cause permerror. Combine all authorized senders into a single v=spf1 line, respecting the 10-DNS-lookup limit.

Q.What is the difference between ~all and -all?

~all (softfail) suggests receivers treat non-matching senders as suspicious but not automatically forged; -all (fail) asks receivers to reject or strongly penalize non-matching sources. Use ~all during monitoring, then move to -all when coverage is complete.

Q.Does SPF stop CEO phishing in the From header?

Not by itself. SPF validates the envelope sender domain. A phisher can pass SPF for their own domain while spoofing the display name. DMARC alignment with DKIM or SPF for the organizational From domain is what addresses lookalike From abuse.

Q.Why do includes count toward a limit?

RFC 7208 caps DNS-induced load at 10 mechanisms that trigger additional queries (includes, redirects, nested a/mx lookups). Beyond that, evaluation fails with permerror.

Q.What breaks SPF for forwarded mail?

Forwarding often changes MAIL FROM to the forwarder’s domain while keeping the original From header, breaking SPF alignment for the author domain. DKIM signatures can survive some forwards; DMARC policies must account for mailing lists and ARC-trusted intermediaries.

Q.How often should I review SPF?

After every ESP or cloud relay change, IP migration, or acquisition. Automate TXT drift detection in CI for domains tied to production mail.
TOPICS & TAGS
spf recordsender policy frameworkemail authenticationdns recordstop spoofingunderstanding spf sender policy framework guide 2026authorized guest list for your business domain mailfoundation of email security and stopping impersonatorshow to set up approved sender lists via dns recordspreventing email spoofing with one simple text linecombining google and mailchimp into one spf recordcommon mistakes with multiple spf records explainedit guide to achieve perfect inbox delivery via spfwhy emails without spf are flagged as suspicioustechnical tutorial for combining multiple authorized sendersimpact of soft fail tilde all on email deliverabilitysecuring your domain identity from global phishingverifying your server authorization with dns queriescornerstone of email trust for every small businessfuture of domain based sender authorization protocols