Email authentication

What is SPF?

SPF, or Sender Policy Framework, is a DNS TXT record that lists which mail servers are allowed to send email for a domain. Receiving mail servers can check that record before deciding how much to trust a message.

Why SPF matters

SPF helps reduce email spoofing by making it harder for an unauthorised server to send mail that appears to come from your domain. It is not a complete email security setup by itself, but it is a core part of modern email delivery alongside DKIM and DMARC.

What an SPF record looks like

An SPF record begins with v=spf1, followed by mechanisms that describe allowed senders, and usually ends with a policy such as -all or ~all.

v=spf1 include:_spf.example.com ip4:203.0.113.10 -all

Common mechanisms

include

Authorises senders listed in another domain's SPF record, often used for email platforms.

ip4 and ip6

Authorise specific IPv4 or IPv6 addresses and ranges.

mx

Authorises the mail exchangers published in the domain's MX records.

-all

Fails mail from senders that are not listed. This is the strictest common ending.

~all

Soft-fails unlisted senders. This is often used while a change is being rolled out or investigated.

Common mistakes

Common SPF problems include publishing more than one SPF record, forgetting a third-party sender, using too many DNS lookups, or leaving the policy too permissive after testing.

Check a domain's SPF record when you want to know whether SPF is in place.