Glossary

What Is an SPF Record?

Q: What does an SPF record look like?

A typical record is v=spf1 include:_spf.google.com ~all. The v=spf1 tag marks the version, each include or ip4 mechanism authorizes a sender, and the trailing ~all tells receivers to treat everything else as a soft fail.It lives as a DNS TXT record on the root of your domain, and a domain may publish only one SPF record. You can read the exact value any domain serves with our mail domain lookup.

Q: What is the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers may send for your domain. DKIM adds a cryptographic signature that proves a message was not altered in transit. DMARC ties the two together, sets a policy for failures, and sends you reports.They are layers, not alternatives. Modern inbox providers expect all three aligned, which is why we check them together in the DMARC, DKIM, and SPF check.

Q: What is the difference between a hard fail and a soft fail?

The ending mechanism controls this. -all is a hard fail: any sender not listed is explicitly unauthorized, and many receivers reject the message outright. ~all is a soft fail: unlisted senders are suspicious but usually still accepted, often into spam.A bare ?all (neutral) asserts nothing and offers no protection. We flag records ending in ?allor with no “all” rule because they leave a domain open to spoofing.

Definition

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email for a domain. When a message arrives, the receiving server checks the sending IP against that published record, so inboxes can reject spoofed mail that forges your domain in the envelope sender.

We verify a domain’s entire mail setup, not just the mailbox, and SPF is one of the first things we read. It is a quiet line of DNS text that most senders publish once and forget, yet it decides whether the world believes a message really came from you. Here is what an SPF record is, how it works, how it sits alongside DKIM and DMARC, and where it tends to break.

How an SPF record works

SPF, short for Sender Policy Framework, is a single DNS TXTrecord published on the root of your domain. It enumerates the servers authorized to send email using your domain in the envelope sender. When a receiving server accepts a message, it reads the sending domain’s SPF record and compares the connecting IP against the authorized list. A match means the sender is recognized; no match means the message is handled according to the record’s policy.

Every record begins with the version tag v=spf1 and is built from mechanisms. An includedelegates to another provider’s record (this is how you authorize a marketing platform or help desk), ip4 and ip6 name specific addresses, and a and mx authorize the hosts in those records. A domain may publish only one SPF record, so every sender has to be folded into that single line.

Hard fail, soft fail, and the all mechanism

The record ends with an “all” mechanism that catches every sender not explicitly listed, and the prefix on it is the whole game. -all is a hard fail: unlisted senders are declared unauthorized, and strict receivers reject their mail. ~all is a soft fail: unlisted senders are suspicious but usually still delivered, often to spam. A bare ?all is neutral and asserts nothing, so it offers no real protection. Most domains should run ~all while testing, then tighten to -all once every legitimate sender is covered.

The 10-lookup limit

SPF has a ceiling that surprises a lot of teams: evaluating a record may trigger no more than ten DNS lookups. Each include, a, mx, ptr, and redirect counts toward that budget, and because includes can nest, a single vendor can quietly consume several. Cross the limit and the evaluation returns a permerror, which most receivers treat as if there were no SPF record at all. It is one of the most common silent failures we see: a domain that added one vendor too many and broke authentication for every message without noticing.

SPF vs DKIM vs DMARC

SPF rarely works alone, and it is easy to confuse with its two companions. SPF verifies which servers may send for your domain. DKIM attaches a cryptographic signature to each message so a receiver can confirm the content was not tampered with in transit. DMARC sits on top of both: it tells receivers what to do when SPF or DKIM fails, requires the authenticated domain to align with the visible From address, and sends you reports so you can see who is sending as you.

They are layers, not options. SPF alone can be bypassed by forwarding and does nothing about tampering, which is the gap DKIM fills, and neither one enforces a policy or covers the visible From header, which is what DMARC adds. Inbox providers increasingly expect all three aligned, so we evaluate them as a set in the DMARC, DKIM, and SPF check rather than in isolation.

Why SPF matters for deliverability and anti-spoofing

SPF does two jobs at once. For anti-spoofing, it makes it far harder for an attacker to send phishing mail that forges your domain, because a forged message from an unlisted server fails the check. For deliverability, a passing SPF result is one of the first trust signals a mailbox provider weighs when choosing inbox versus spam. A missing or broken record, or a silent permerror, erodes sender reputation and can bury legitimate campaigns in junk.

Because SPF also underpins DMARC alignment, a misconfigured record quietly undermines the whole authentication stack, not just SPF itself. Confirming a domain’s records before you send is the cheapest deliverability win available, which is why our free email checkersurfaces the domain’s mail configuration alongside each address it verifies.

Common SPF misconfigurations

Most SPF problems are not exotic. They are the same handful of mistakes repeated across thousands of domains, all avoidable once you know to look for them.

Too many lookups. Stacking vendors pushes the record past the ten-lookup ceiling and triggers a permerror. Flatten the record or remove unused includes to stay under budget.
Two SPF records. Publishing more than one v=spf1 TXT record is invalid; receivers see the conflict and may ignore SPF entirely. Merge them into one line.
A missing sender. Forgetting to include a marketing tool or help desk means its mail fails SPF even though it is legitimate.
Ending in ?all or nothing.A neutral or absent “all” mechanism leaves the domain open to spoofing because no sender is ever rejected.
The record on the wrong host. SPF belongs on the root domain in the envelope sender, not on a subdomain that never sends mail.

When we verify a domain’s mail setup, reading its SPF record alongside its MX recordsis part of judging whether it is a real, well-run mail host or a risky one. A clean, single, correctly terminated record under the lookup limit is a positive signal; the mistakes above are red flags. You can audit any domain’s full authentication, including its SPF value, with the mail domain lookup, and the volume tiers for verifying at scale are on the pricing page.

Keep learning

Related terms

SPF is one piece of a wider authentication and deliverability picture. These are the terms most worth understanding next.

DKIM

A cryptographic signature that proves an email was not altered between sender and inbox.

DMARC

The policy layer that ties SPF and DKIM together and tells receivers how to handle failures.

SMTP

The protocol mail servers speak to hand a message from sender to recipient.

MX Record

The DNS record that names which servers receive email for a domain.

Email Verification

Confirming an address is real, reachable, and safe to send to before you send.

Hard Bounce

A permanent delivery failure, usually because the mailbox does not exist.

Check your SPF record, free

Paste a domain into the DMARC, DKIM, and SPF check and see whether SPF passes, where it is over the lookup limit, and how it lines up with DKIM and DMARC, in seconds. No signup.

Run the SPF check Or try the free email checker

Common questions

SPF records, answered

The questions we get most about SPF, answered with the same logic our verification engine uses when it reads a domain's records.

What is an SPF record in simple terms?

It is a single line of text published in your domain’s DNS that names every server allowed to send email as your domain. Think of it as a guest list at the door: if a sending server is on the list, its mail is recognized as legitimate.

The record always starts with v=spf1and ends with an “all” rule that says what to do with senders not on the list. Receiving servers read it automatically on every message, so once it is published you do not touch it again until your sending setup changes.

What does an SPF record look like?

A typical record is v=spf1 include:_spf.google.com ~all. The v=spf1 tag marks the version, each include or ip4 mechanism authorizes a sender, and the trailing ~all tells receivers to treat everything else as a soft fail.

It lives as a DNS TXT record on the root of your domain, and a domain may publish only one SPF record. You can read the exact value any domain serves with our mail domain lookup.

What is the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers may send for your domain. DKIM adds a cryptographic signature that proves a message was not altered in transit. DMARC ties the two together, sets a policy for failures, and sends you reports.

They are layers, not alternatives. Modern inbox providers expect all three aligned, which is why we check them together in the DMARC, DKIM, and SPF check.

What is the SPF 10-lookup limit?

The SPF specification caps a record at 10 DNS lookups during evaluation. Every include, a, mx, ptr, and redirect mechanism counts toward that budget, and nested includes count too.

Exceed it and the record returns a permerror, which most receivers treat as no SPF at all. Teams that add many vendors blow past the limit silently, so flattening the record or trimming unused includes is a common fix.

What is the difference between a hard fail and a soft fail?

The ending mechanism controls this. -all is a hard fail: any sender not listed is explicitly unauthorized, and many receivers reject the message outright. ~all is a soft fail: unlisted senders are suspicious but usually still accepted, often into spam.

A bare ?all (neutral) asserts nothing and offers no protection. We flag records ending in ?allor with no “all” rule because they leave a domain open to spoofing.

Does SPF affect email deliverability?

Yes, directly. A passing SPF result is one of the first signals a mailbox provider weighs when deciding inbox versus spam. A missing, broken, or permerror record drags down sender reputation and can land legitimate mail in junk.

SPF also underpins DMARC alignment, so a misconfigured record quietly undermines your whole authentication stack. Checking it before a campaign is the cheapest deliverability win there is, and the free email checker surfaces the domain’s setup alongside each address.

How does Verifox use SPF when verifying an address?

During the DNS stage of verification, our engine resolves the domain’s MX records and reads its SPF record as part of judging whether the domain is a real, properly configured mail host or a throwaway.

A clean SPF record is one positive signal among the nine checks behind every verdict. You can read the full pipeline on the email verification page.

How do I check or fix my SPF record?

Start by reading what your domain actually publishes, then confirm every legitimate sender (your mail host, marketing platform, support desk) is covered, the lookup count stays under 10, and the record ends in -all or ~all rather than neutral.

Our DMARC, DKIM, and SPF check runs all of that in one pass. For verifying domains and addresses at volume, the tiers are on the pricing page.