InboxWarm.ai Logo
SEmail Deliverability Glossary

SPF (Sender Policy Framework)

An authentication protocol that specifies which mail servers are authorized to send email for your domain. Published as a DNS TXT record checked on every inbound message.

SPF is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain.

How SPF works:

  1. You publish an SPF record in your DNS as a TXT record: v=spf1 include:_spf.example.com ~all
  2. When a receiving server gets an email claiming to be from your domain, it checks the SPF record
  3. If the sending IP is listed as authorized, the email passes SPF
  4. If not authorized, it fails (with consequences depending on your DMARC policy)

SPF softfail vs. hardfail:

  • ~all (softfail): Unauthorized sends are flagged but not rejected. Recommended during initial setup.
  • -all (hardfail): Unauthorized sends are rejected. Use only when you're confident all legitimate senders are in your SPF record.

SPF 10-lookup limit: SPF allows a maximum of 10 DNS lookups (nested includes count). Exceeding this causes an SPF PermError, which counts as a failure. Use SPF flattening tools if you're approaching the limit.

SPF and forwarding: SPF breaks for forwarded email because the forwarding server's IP is not in your SPF record. This is why DKIM + DMARC are also required — DKIM survives forwarding.

Frequently Asked Questions

How do I set up an SPF record?

Add a TXT record to your domain's DNS with the format: v=spf1 [include statements] [all]. The include statements list all services authorized to send email from your domain. For Google Workspace: include:_spf.google.com. For SendGrid: include:sendgrid.net. For multiple senders: v=spf1 include:_spf.google.com include:sendgrid.net ~all. After publishing, verify it's working by sending a test email to a Gmail address, opening the original message source, and looking for 'spf=pass' in the Authentication-Results header. Use ~all (softfail) initially and only switch to -all (hardfail) after confirming all legitimate senders are listed.

What is the SPF 10-lookup limit and how do I fix it?

SPF allows a maximum of 10 DNS lookups when processing an SPF record. Each 'include:' statement counts as one lookup, and nested includes within those records count toward the same limit. Exceeding 10 lookups causes an 'SPF PermError' which is treated as an SPF failure. This is common for senders using multiple ESPs, marketing platforms, and CRMs that each require their own include statement. The fix is SPF flattening: resolve all the nested includes to their underlying IP addresses and list those directly, eliminating the need for lookup chains. Services like dmarcly.com and easydmarc.com offer automatic SPF flattening.

Does SPF prevent email spoofing?

SPF prevents spoofing of the envelope sender (MAIL FROM / Return-Path) domain, but not the visible From address in email clients. This means SPF alone doesn't prevent a sophisticated spoofer from using your domain in the From address that recipients see, while using a different envelope sender that passes SPF. DMARC closes this gap by requiring SPF or DKIM to align with the From domain — the domain recipients actually see. With DMARC enforcement (p=quarantine or p=reject), unauthorized senders using your From domain are blocked or quarantined even if their envelope sender passes SPF on a different domain.

Related Terms

D

DKIM (DomainKeys Identified Mail)

An authentication method that attaches a cryptographic signature to outgoing emails, proving the message was sent by an authorized server and not altered in transit.

D

DMARC (Domain-based Message Authentication, Reporting and Conformance)

A policy protocol built on SPF and DKIM that tells receiving servers how to handle authentication failures and sends aggregate reports back to the domain owner.

A

Authentication (Email Authentication)

The set of technical protocols (SPF, DKIM, DMARC) that verify a sender's identity and prove an email genuinely originated from the claimed domain.

R

Return Path (Bounce Address / Envelope From)

The SMTP envelope address where delivery failure notifications are sent. SPF checks the Return-Path domain — mismatches cause DMARC alignment failures.

Back to Glossary
Get Started Today

Stop Guessing. Start Landing in the Inbox.

Improve your email deliverability with real engagement signals and full visibility into where your emails actually land.

Start Free TrialTalk to Sales

Free 10-day trial · No credit card · Cancel anytime