What Is SPF and How Does It Work?
Understanding SPF (Sender Policy Framework) and email authentication
Table of Contents
What Is SPF?
SPF (Sender Policy Framework) is a DNS-based email authentication protocol that specifies which mail servers are authorized to send emails for a domain. SPF records are published in DNS and list authorized sending IP addresses and servers.
When an email is received, the receiving server checks the SPF record to verify the sending server is authorized. SPF prevents email spoofing, improves deliverability, and helps ISPs identify legitimate senders.
SPF is one of three main email authentication protocols (SPF, DKIM, DMARC). Check your SPF records and use our email authentication checker to verify SPF is properly configured.
How SPF Works
1. SPF Record Publication
Domain owners publish SPF records in DNS as TXT records, specifying which mail servers are authorized to send emails for the domain.
2. Email Sending
When an email is sent, it includes the sender's domain in the "From" address.
3. SPF Check
Receiving mail servers perform SPF checks by querying DNS for the sender's domain SPF record.
4. Verification
The receiving server verifies whether the sending IP address is listed in the SPF record as authorized.
5. Result
SPF check results (pass, fail, softfail, neutral, none) are recorded in email headers and used for deliverability decisions.
6. DMARC Policy
SPF results are combined with DKIM results and evaluated against DMARC policies.
SPF Records
Record Format
SPF records are DNS TXT records in this format: v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all
SPF Mechanisms
- ip4: Authorize IPv4 addresses or ranges
- ip6: Authorize IPv6 addresses or ranges
- include: Include SPF records from other domains
- a: Authorize IPs from domain's A records
- mx: Authorize IPs from domain's MX records
- all: Default mechanism (match everything else)
Qualifiers
- + (default): Pass
- -: Fail
- ~: Softfail
- ?: Neutral
Example Record
v=spf1 ip4:192.0.2.1 include:_spf.google.com -all authorizes IP 192.0.2.1, includes Google's SPF, and fails all other IPs.
SPF Results
SPF checks produce specific results:
pass
The sending IP is authorized according to the SPF record. This is the desired result for legitimate emails.
fail
The sending IP is explicitly not authorized. Emails with fail results are often rejected or marked as spam.
softfail
The sending IP may not be authorized, but the policy suggests accepting the email with caution. Often used for monitoring.
neutral
The SPF record doesn't specify authorization status for this IP. Provides no authentication benefit.
none
No SPF record found for the domain. Missing SPF records hurt deliverability and increase spam filtering.
Setting Up SPF
1. Identify Authorized Servers
List all mail servers and IP addresses authorized to send emails for your domain, including ESPs and third-party services.
2. Create SPF Record
Create an SPF record including all authorized IPs and services. Use include: for third-party services like email providers.
3. Publish SPF Record
Publish the SPF record as a TXT record in your domain's DNS, typically at the root domain (e.g., example.com).
4. Verify Record
Use our SPF lookup tool to verify the record is published correctly.
5. Test Authentication
Send test emails and use our authentication checker to verify SPF passes.
6. Monitor Results
Monitor SPF authentication results in email headers to ensure proper configuration.
Verifying SPF
Verify SPF configuration and results:
1. Check SPF Record
Use our SPF lookup tool to check if SPF records are published and formatted correctly.
2. Test Authentication
Use our comprehensive authentication checker to verify SPF authentication is working correctly.
3. Check Email Headers
Review Received-SPF or Authentication-Results headers in emails to verify SPF results.
4. Monitor Deliverability
Monitor email deliverability and spam filtering to ensure SPF is helping, not hurting, deliverability.
5. Update As Needed
Update SPF records when adding or changing mail servers or email service providers.
