SPF Record Complete Guide: Mechanisms, Lookup Limits, Flattening & Authentication

From v=spf1 to -all — the complete guide to Sender Policy Framework (SPF) records, mechanisms, DNS limits, and email authentication.

📅 Published June 2026· ⏳ 14 min read· ✍️ ToolsNovaHub Editorial Team
🛠️ Related tool: Open SPF Lookup →

What Is SPF and Why Do You Need It?

SPF (Sender Policy Framework), defined in RFC 7208, is an email authentication protocol that lets domain owners publish a list of IP addresses authorized to send email on behalf of their domain. Without SPF, anyone can forge your domain in the "From" address and send email impersonating your organization — a technique at the core of phishing attacks, business email compromise (BEC), and spam campaigns.

With SPF, receiving mail servers query DNS for your SPF record, check the sending IP against your authorized list, and either pass, softfail, or fail the message. Combined with DKIM and DMARC, SPF forms the complete email authentication triad that protects your domain's reputation and your recipients' inboxes.

Anatomy of an SPF Record

An SPF record is a DNS TXT record at your root domain with a specific format:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net -all

Breaking this down:

  • v=spf1 — Required version tag. Identifies this as an SPF record.
  • ip4:203.0.113.0/24 — Authorize all IPs in this CIDR range directly (no DNS lookup).
  • include:_spf.google.com — Delegate to Google's SPF record (1 DNS lookup).
  • include:sendgrid.net — Delegate to SendGrid's SPF record (1 DNS lookup).
  • -all — Hardfail: reject email from any IP not matching above mechanisms.

The Critical 10 DNS Lookup Limit

RFC 7208 hard-limits SPF evaluation to 10 DNS-resolving lookups. Each a:, mx:, include:, exists:, and redirect= mechanism triggers one lookup. ip4: and ip6: mechanisms are free — they never trigger DNS lookups.

The problem: include: mechanisms are recursive. Including Google's SPF record might pull in 3–4 sub-includes, each consuming a lookup. Add Salesforce, Mailchimp, Zendesk, HubSpot — and you're past 10 before you know it. Exceeding 10 lookups causes a PermError, which many receiving servers treat the same as SPF fail — legitimate emails from your authorized senders may be rejected.

Use our SPF Lookup tool to instantly count DNS lookups in your current SPF record. It highlights the count in red when you exceed 10.

SPF Flattening: The Solution to Lookup Limits

SPF flattening replaces include: mechanisms with the actual ip4: and ip6: ranges they resolve to. Instead of include:_spf.google.com (which triggers lookups), you list Google's actual sending IP ranges directly:

v=spf1 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ... -all

The tradeoff: you must manually update when your email providers change their IP ranges. Some providers offer dynamic SPF management services that automate this. For most small-to-mid organizations, quarterly audits with our SPF Lookup tool catch changes before they cause delivery problems.

SPF Qualifiers and Their Real-World Effects

-all (hardfail): Unauthorized senders are rejected. Combined with a DMARC p=reject policy, this is the gold standard for anti-spoofing protection. Zero tolerance for unauthorized senders.
~all (softfail): Unauthorized senders are accepted but marked. Gmail delivers softfail messages to spam with a warning header. Appropriate during SPF setup/migration, but should eventually be hardened to -all.
?all (neutral): No enforcement. Functionally equivalent to having no SPF — does not protect your domain from spoofing. Should never be used in production.
+all (passall): Authorizes literally every IP in the world. Catastrophically wrong — completely disables SPF protection. Never use this.

SPF, DKIM, and DMARC: The Complete Picture

SPF validates the sending IP but doesn't validate the message body or headers. DKIM adds a cryptographic signature to email headers, verified against a public key published in DNS — DKIM survives forwarding where SPF doesn't. DMARC ties both together:

  • DMARC passes if either SPF or DKIM passes AND the relevant domain is aligned with the From: header domain.
  • DMARC policy (p=none/quarantine/reject) controls what happens to messages that fail.
  • DMARC RUA reports show you exactly which IPs are sending as your domain — both legitimate and malicious.

Read the full comparison in our guide: SPF vs DKIM vs DMARC.

Common SPF Mistakes to Avoid

  • Multiple SPF records: Only one TXT record with v=spf1 is allowed per domain. Multiple records cause PermError.
  • Forgetting transactional email services: Sendgrid, Mailchimp, HubSpot, Zendesk — each needs an include: or ip4: in your SPF.
  • Not covering subdomains: SPF only applies to the exact domain queried. email.example.com needs its own SPF record.
  • Leaving ?all or +all: Either renders SPF useless for anti-spoofing. Always end with ~all (during testing) or -all (production).
  • Forgetting to check lookup count: Use our SPF Lookup tool regularly as you add new email services.

Related Tools

Check your mail server setup with MX Lookup. Query all DNS records with DNS Lookup. Validate email addresses with Email Checker. For understanding the IPs your SPF authorizes, use IP Range Calculator. Also read: MX Record Complete Guide and SPF vs DKIM vs DMARC.

FAQ

What is an SPF record? +
SPF (Sender Policy Framework) is an email authentication DNS TXT record that lists IP addresses authorized to send email for your domain. Receiving servers check it to detect spoofing.
What does v=spf1 mean? +
v=spf1 is the required version tag at the start of every SPF record. It identifies the TXT record as an SPF policy to DNS resolvers and receiving mail servers.
What is the difference between ~all and -all? +
~all (softfail) = accept but mark suspicious. -all (hardfail) = reject unauthorized senders. Use -all in production for maximum anti-spoofing protection.
What is the SPF 10 DNS lookup limit? +
RFC 7208 limits SPF to 10 DNS-resolving lookups per evaluation. Exceeding this causes PermError, which many servers treat as SPF fail. ip4: and ip6: don't count toward the limit.
What is SPF flattening? +
Replacing include: mechanisms with explicit ip4:/ip6: ranges to eliminate DNS lookups and stay under the 10-lookup limit. Requires manual updates when providers change their IPs.
Can a domain have multiple SPF records? +
No. RFC 7208 requires exactly one v=spf1 TXT record per domain. Multiple records cause PermError and break SPF authentication.
What is the include: mechanism? +
include: delegates SPF evaluation to another domain's SPF record. Each include: triggers 1 DNS lookup. include:_spf.google.com adds Google's authorized sending IPs to your policy.
What does SPF pass mean? +
The sending IP matched an authorized mechanism in the SPF record. The email appears to come from an IP the domain owner approved.
What does SPF fail mean? +
The sending IP is not authorized. With -all, receiving servers may reject the message. Combined with DMARC p=reject, it's blocked before reaching the inbox.
Is SPF Lookup free? +
Yes — completely free, unlimited lookups, no signup. Queries use Google's public DNS-over-HTTPS resolver and parse results instantly in your browser.
Try it yourself — 100% free
🚀 Open SPF Lookup

🔗 More Guides