What Is SPF? Your Domain's Allowed-Senders List, Explained
Published July 1, 2026
SPF (Sender Policy Framework) is a DNS record that publishes the list of servers allowed to send email for your domain. When a mailbox provider receives a message, it looks up that list and checks whether the sending server is on it. SPF is one of the two authentication methods DMARC builds on, but on its own it doesn't check the From address people actually see, which is why it can't stop spoofing by itself.
The allowed-servers list
Email lets any server claim to send for any domain. SPF was the first widely adopted fix: you publish a TXT record in your domain's DNS (the Domain Name System, the public directory that maps names to servers) listing every service authorized to send mail as you: your email provider, your newsletter tool, your invoicing system.
Receivers treat everything not on the list as suspect. If a server in a country you've never done business with sends mail claiming to be your domain, an SPF check fails, and that failure feeds into spam filtering and, when you have DMARC, your published policy.
What receivers actually check
Here is the detail most explanations skip: SPF does not check the From address you see in your mail client. It checks the envelope sender (also called the return-path or MAIL FROM address), which is a hidden address used during the server-to-server handshake, mainly for routing bounces.
The receiving server takes the domain from that envelope address, fetches its SPF record from DNS, and checks whether the connecting server's IP address matches one of the entries. The whole check happens before the message body is even transmitted.
This distinction matters because the envelope domain and the visible From domain are often different, especially with newsletter tools, which usually put their own bounce domain in the envelope. That gap is exactly what DMARC alignment exists to close.
Mechanisms and qualifiers
An SPF record is a single line made of mechanisms (ways to match a sending server) and qualifiers (what to do on a match). The record is evaluated left to right, and the first mechanism that matches decides the result.
| Element | Type | What it means |
|---|---|---|
| ip4: / ip6: | Mechanism | Match a specific IP address or range |
| include: | Mechanism | Pull in another domain's SPF record (how you authorize Google, Microsoft, your ESP) |
| a / mx | Mechanism | Match the IPs of the domain's A or MX records |
| all | Mechanism | Match everything (always last, paired with a qualifier) |
| + (pass) | Qualifier | Authorized; the default if no qualifier is written |
| ~ (softfail) | Qualifier | Not authorized, but treat gently (the usual choice for ~all) |
| - (fail) | Qualifier | Not authorized, fail outright (stricter -all) |
What a real SPF record looks like
A typical record for a business on Google Workspace looks like this: one TXT record at the root of the domain. Read it as: mail from Google's servers passes; everything else is a soft fail.
v=spf1 include:_spf.google.com ~all
The 10-lookup limit
SPF has a hard rule: evaluating a record may trigger at most 10 DNS lookups. Every include:, a, mx, and a few other mechanisms count, and includes nest, so a single include: for one vendor can quietly consume three or four lookups on its own.
Go over 10 and receivers return permerror, which many providers treat the same as a failure. This is the most common way a working SPF record silently breaks: someone adds one more marketing tool, the count crosses 10, and legitimate mail starts failing. If you accumulate services, count your lookups, or use monitoring that counts them for you.
Two reasons SPF alone isn't enough
First, forwarding breaks it. When someone auto-forwards your message (a personal Gmail rule, a university alumni address), the forwarding server becomes the new sender. That server isn't in your SPF record, so the check fails even though the message is completely legitimate. SPF verifies the last server that touched a message, not the original author.
Second, SPF checks the wrong address for anti-spoofing purposes. Because it validates the hidden envelope domain, an attacker can pass SPF for a domain they control while displaying yourcompany.com in the visible From line. DMARC fixes this by requiring alignment: the domain that passes SPF (or DKIM, its cryptographic sibling) must match the From domain the recipient sees. SPF is necessary, but it only becomes anti-spoofing protection when DMARC ties it to the visible sender.
Frequently asked questions
- Can I have more than one SPF record?
- No. A domain must have exactly one SPF TXT record; publishing two causes a permanent error and both are ignored. To authorize multiple services, combine them into one record with multiple include: mechanisms.
- Should I use ~all or -all?
- Start with ~all (softfail). Once DMARC is at enforcement, the practical difference shrinks because DMARC's policy governs what happens to failing mail, and ~all avoids hard-failing legitimate forwarded messages during your rollout.
- My SPF passes. Why does DMARC still fail?
- Almost always alignment: SPF passed for a different domain (usually your email tool's bounce domain) than the one in your visible From address. DMARC needs the passing domain to match the From domain.
Keep reading
Reading about it is step one
DMARCPath does the watching for you: every sender identified, every failure explained, and a guided path to p=reject. One domain free, forever.
Start monitoring free →