MailSlurp logo

blog

What Is an SPF Record? Syntax, Examples, Limits, and Troubleshooting

Learn what an SPF record is, where it is published, how SPF syntax works, and which common failure patterns affect delivery and sender trust.

An SPF record is a DNS TXT record that tells receiving mail systems which hosts are authorized to send mail for a domain. SPF stands for Sender Policy Framework.

If you are searching for spf record, what is spf record, or spf record example, the practical question is usually how to publish a correct sender policy without creating delivery problems later.

Quick answer

An SPF record:

  • lives in DNS as a TXT record
  • lists allowed sender sources
  • helps receivers evaluate whether the sending host is authorized
  • works best when combined with DKIM and DMARC

It is a sender-authorization control, not a complete anti-spoofing system by itself.

Where an SPF record is published

SPF is normally published on the sending domain as a TXT record.

Example:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This record says:

  • v=spf1 declares SPF
  • include: pulls in provider policy
  • -all tells receivers other senders should fail

How SPF evaluation works

The simplified flow:

  1. Receiver reads the envelope sender domain.
  2. Receiver looks up the domain's SPF TXT record.
  3. Receiver evaluates mechanisms in order.
  4. Receiver returns a result such as pass, fail, or softfail.

That result then gets combined with other trust signals such as DKIM, DMARC, content, and reputation.

SPF syntax that matters most

Common mechanisms:

  • ip4 and ip6 for specific IP ranges
  • a and mx for host-based authorization
  • include for external provider policies

Common qualifiers:

  • - hard fail
  • ~ soft fail
  • ? neutral

Most teams understand the syntax quickly. The operational problem is usually whether the record still matches reality.

SPF record examples

Simple example

v=spf1 include:_spf.google.com -all

Mixed provider example

v=spf1 ip4:203.0.113.10 include:sendgrid.net include:amazonses.com ~all

Why examples are not enough

You should never copy a record just because it looks familiar. The correct SPF record depends on your actual sender inventory, domains, subdomains, and routing design.

What SPF does not do

SPF does not:

  • prove message integrity
  • protect the visible From domain on its own
  • guarantee inbox placement

That is why SPF should always be evaluated with:

SPF record limits that break production setups

Too many DNS lookups

Heavy include chains can exceed practical lookup limits and cause permerror.

Multiple SPF records

Publishing more than one SPF record for the same domain is a common mistake and can make the policy invalid.

Stale provider includes

An old sender remains in the record long after it stopped sending.

Missing real senders

A new provider or subdomain started sending mail, but the SPF policy was not updated.

SPF troubleshooting table

Problem Likely cause Fastest check
fail after provider rollout Missing include or IP Compare sender inventory with record
permerror Too many lookups or syntax issue Validate policy structure
SPF pass but DMARC fail Alignment issue Check From-domain strategy
Inconsistent results across systems Different sender paths or forwarding Compare headers and routes

Safe SPF maintenance workflow

Use this sequence when editing sender policy:

  1. inventory all real senders
  2. draft the updated record
  3. validate syntax with SPF checker
  4. publish during a controlled change window
  5. test real messages
  6. confirm DMARC and DKIM still behave as expected

Treat SPF as living infrastructure, not a one-time DNS task.

SPF and forwarding

Forwarding can complicate SPF because the envelope path can change after the original send. That is one reason DKIM often becomes the more stable source of DMARC alignment in forwarded mail paths.

This does not make SPF less important. It just means teams should not expect SPF alone to solve every delivery or spoofing scenario.

Use MailSlurp for SPF work

MailSlurp supports SPF troubleshooting with SPF checker, SPF record generator, and Email header analyzer when DNS and real-message evidence need to be compared together. Create a free account at app.mailslurp.com if you want SPF checks tied to the rest of your email release process.

FAQ

What is an SPF record in simple terms?

It is the DNS policy that tells receivers which servers are allowed to send mail for a domain.

Can I have multiple SPF records?

No. A domain should publish one SPF policy record.

Is ~all or -all better?

That depends on rollout maturity. -all is stronger, but teams often start more permissively while validating sender coverage.

Does SPF improve deliverability?

Yes, as part of a broader authentication stack. On its own it is not enough.

Final take

An SPF record is one of the foundational controls in modern email delivery. The teams that get the most value from SPF are the ones that keep sender inventory current, respect lookup limits, and validate SPF together with DKIM and DMARC.