Question 1

What is an SPF record?

Accepted Answer

An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent email spoofing by allowing receiving servers to verify that incoming mail from your domain comes from an authorized source. A typical SPF record starts with 'v=spf1' followed by mechanisms like 'include', 'ip4', 'mx', and ends with an 'all' qualifier.

Question 2

What is the 10 DNS lookup limit?

Accepted Answer

RFC 7208 restricts SPF evaluation to a maximum of 10 DNS lookups. Mechanisms that count toward this limit include 'include', 'a', 'mx', 'ptr', 'exists', and 'redirect'. IP-based mechanisms like 'ip4' and 'ip6' do not count because they don't require DNS resolution. Exceeding 10 lookups causes a 'permerror', which means SPF validation fails entirely and your emails may be rejected or flagged as spam.

Question 3

Which SPF qualifier should I use?

Accepted Answer

The recommended qualifier is '~all' (softfail) for most setups, especially during initial deployment. It marks unauthorized emails as suspicious without outright rejecting them. Once you've confirmed all legitimate senders are included, switch to '-all' (fail) for maximum protection. Avoid '?all' (neutral) as it provides no protection, and never use '+all' (pass) as it allows anyone to send as your domain.

Question 4

How do I add authorized senders to my SPF record?

Accepted Answer

To authorize senders, use the appropriate SPF mechanism: 'include:' for third-party email services (e.g., include:_spf.google.com for Google Workspace), 'ip4:' or 'ip6:' for specific server IP addresses, 'mx' to authorize your domain's mail exchange servers, and 'a' to authorize your domain's A record IP. Each email service provider will tell you which include or IP to add.

Question 5

How do I add an SPF record to my DNS?

Accepted Answer

To add an SPF record: (1) Log into your DNS provider or domain registrar's control panel. (2) Navigate to DNS management for your domain. (3) Create a new TXT record. (4) Set the host/name to '@' (or leave blank for the root domain). (5) Paste your generated SPF record as the value. (6) Save the record. DNS propagation typically takes 5 minutes to 48 hours. You can only have one SPF record per domain — if one already exists, update it instead of creating a new one.

SPF Record Generator

Include Domains (include:)

Authorized IPv4 Addresses (ip4:)

Authorized IPv6 Addresses (ip6:)

Additional Mechanisms

Policy for Unauthorized Senders (all)

Redirect Domain (optional)

Frequently Asked Questions

Related Tools

SPF Checker

SPF Flattener

DMARC Checker