What Is an SPF Record?
Understanding SPF records and email authentication
Table of Contents
What Is an SPF Record?
An SPF record is a DNS TXT record that specifies which mail servers are authorized to send emails for a domain. SPF records enable email authentication by telling receiving mail servers which IP addresses and servers are allowed to send emails for a domain.
SPF records use mechanisms (ip4, ip6, include, a, mx, all) to specify authorized senders and qualifiers (+, -, ~, ?) to specify how to handle unauthorized senders. SPF records are published as TXT records in DNS and are essential for email authentication and preventing email spoofing.
Check SPF records using our SPF lookup tool to verify email authentication configuration. Learn more about SPF and TXT records.
SPF Record Format
Record Format
SPF records follow this format: v=spf1 mechanism1 mechanism2 ... qualifier
Example SPF Record
v=spf1 ip4:192.0.2.1 include:_spf.google.com -all
- v=spf1: SPF version 1
- ip4:192.0.2.1: Authorize IPv4 address
- include:_spf.google.com: Include Google's SPF
- -all: Fail all other IPs
Version Identifier
All SPF records must start with v=spf1 to identify the SPF version.
Mechanisms
SPF records use mechanisms to specify authorized senders (ip4, ip6, include, a, mx, all).
Default Qualifier
If no qualifier is specified, + (pass) is the default.
SPF Mechanisms
SPF mechanisms specify authorized senders:
ip4 and ip6
ip4:192.0.2.1 or ip6:2001:db8::1 - Authorize specific IPv4 or IPv6 addresses or ranges.
include
include:_spf.google.com - Include SPF records from other domains (commonly used for email service providers).
a
a or a:example.com - Authorize IPs from domain's A records.
mx
mx or mx:example.com - Authorize IPs from domain's MX records.
all
all - Match everything else (used with qualifiers to specify default action).
SPF Qualifiers
SPF qualifiers specify how to handle senders:
+ (Pass)
+ip4:192.0.2.1 - Authorize sender (default, can be omitted).
- (Fail)
-all - Explicitly reject unauthorized senders.
~ (Softfail)
~all - Mark as suspicious but accept (used for monitoring).
? (Neutral)
?all - No policy (neither pass nor fail).
Best Practice
Use -all for strict policy, ~all for testing, and avoid ?all.
Checking SPF Records
1. SPF Lookup Tools
Use our SPF lookup tool to query SPF records and verify email authentication configuration.
2. Command Line Tools
Use command-line tools (dig) to query TXT records: dig TXT example.com
3. Email Authentication Check
Use our email authentication checker to verify SPF authentication is working correctly.
4. Verification
Verify SPF records are published correctly, syntax is valid, and all authorized mail servers are included.
5. Testing
Test SPF authentication by sending emails and checking SPF results in email headers.
