SPF (Sender Policy Framework)

What is SPF (Sender Policy Framework)?

SPF is a DNS-based email authentication method that specifies which mail servers are authorized to send email for your domain. It’s like a “guest list” for mail servers: if a server isn’t listed in your SPF record, it shouldn’t be sending mail on your behalf.

Why it matters

SPF prevents spammers from impersonating your domain. Without it, anyone could spoof your email address and send fraudulent messages. This not only puts your brand at risk but also impacts Email Deliverability. A correct SPF record signals to ISPs that your emails are trustworthy.

How it works

You publish a TXT record in your domain's DNS specifying the servers or ESPs authorized to send your emails. When a receiving server gets a message claiming to be from your domain, it checks the SPF record to see if the sending server is listed. If yes, SPF passes. If not, the message fails and may be rejected or marked as spam.

Examples

• A startup adds AutoSend’s sending IPs to its SPF record.

• A corporate domain includes both Office 365 and AutoSend in the same SPF record.

• A misconfigured SPF record causing valid mail to bounce.

Best practices

• Keep your SPF record short and avoid too many include statements (DNS lookups are limited to 10).

• Update your SPF whenever you add or remove an ESP.

• Use SPF in conjunction with DKIM and DMARC.

Related terms

DKIM, DMARC, MX Record

FAQs

What happens if my SPF record is too long?
SPF records can only have up to 10 DNS lookups. If you exceed this limit, SPF will break and fail validation, even for authorized servers. The solution is to consolidate providers or use subdomains.

Do subdomains inherit SPF?
No, not automatically. Each subdomain needs its own SPF record if it sends mail. Otherwise, SPF checks may fail.

Is SPF alone enough to stop spoofing?
No. SPF only verifies the sending server. A malicious sender could still alter the “From” header. That’s why you also need DKIM and DMARC for full protection.