Mailtrap Blog

SPF Record Explained

Today, an SPF record is a MUST-have DNS record for reliable email delivery. It is a type of email authentication to protect your emails from being forged. This secures your reputation from phishers and spoofers. Find out more about the Sender Policy Framework to increase the credibility of your product.

What is an SPF record?

One of the DNS resource records is TXT. It is mostly used to denote facts about the domain and provide information to outside sources. It’s a must have for email authentication. For example, an email comes from some server to your internet service provider (ISP). ISP can use a dedicated TXT type record, SPF record, to authenticate the email. This record contains data about the trusted servers authorized by your domain. So, your ISP can identify a source an email is coming from and detect a forged email. SPF or Sender Policy Framework is a primary but not the only standard to authenticate your email. 

Email authentication standards – what are they for?

SMTP can’t protect your app from such frauds as email spoofing, phishing, and spam. It lacks a feature that would identify the origin of an email message and validate its domain. Email authentication can do the job. 

There are three widely adopted standards to authenticate emails: SPF, DKIM, and DMARC. In brief, each of them does the following:

SPF, DKIM, and DMARC differ in technical implementation, but all they draw on DNS records. You can also encounter other authentication methods like ADSP, Sender ID, iprev, and so on. Some of them are either unclaimed or have been deprecated. 

Sender Policy Framework or SPF

Sender Policy Framework appeared officially as an experimental standard in 2006. Eight years later, SPF was approved as a proposed email authentication standard

In plain English, SPF is a protocol according to which the mail servers decide whether to receive or reject an incoming email. The decision is made using the SPF information in TXT records as for the list of authorized IP addresses within a particular domain. If the email has been sent from one of these addresses, it’s not forged and can be let in. 

When you need SPF 

If your digital product sends transactional or even commercial messages, make sure to implement Sender Policy Framework. This is a thing required by internet service providers so far. If you don’t have a valid SPF record, or it is incorrect, your ISP might run secondary email filtering. Failed SPF authentication means that your email will be recognized as spam or even blocked. 

SPF scares off spammers and phishers by filtering out forged emails. It keeps your product reputation spotless. But, to complete the picture, it is better to implement a full-scale email authentication (SPF + DKIM + DMARC).

Cons of SPF email authentication

Common SPF misconceptions

SPF is a necessary measure , but it is not a silver bullet against spoofing. Make sure you are aware of the following misconceptions to use the framework correctly. 

SPF works with the envelope-from address (return pass) of email. It is invisible to the user unlike the header-from address, which refers to the message content. Hence, an SPF record can’t protect the visible address of the sender.

The framework leverages spam filtering systems to check emails. Also, it protects against forged messages from a specific domain. However, it does not offer significant improvements in terms of fighting spam. More on this, you can learn in the blog post about how to avoid emails going to spam.

Actually, the mail server sending a message is being authorized according to the SPF record. So, the framework works at the domain level. 

Keep in mind that you can have only one SPF record. Otherwise, you’ll get ‘permerror’ – an error indicating that the retrieved SPF policy record could not be interpreted. 

Even if you have all the messages authorized according to DKIM, you still need an SPF record to identify the domain. Moreover, the Sender Policy Framework is required within cloud services and IPv6 networks. So, the best way to combat spoofing and secure your email is to implement SPF, DKIM, and DMARC.

How does SPF work?

In general, the SPF in action consists of the following steps:

For example, a server with IP address ‘’ has sent an email from ‘’. During the SPF check, the inbound server will query the ‘’ domain to see if this particular IP address is authorized to send the email.

A successful result will increase the odds of an email making its way to an inbox. A failed SPF will likely lead to a message landing in spam or a virtual trash bin.

SPF record syntax

First, let’s anatomize a simple SPF record example.

“v=spf1 +a +mx -all”

v = spf1 is a version number of the current record, and the rest are Mechanisms, Qualifiers, and Modifiers to specify different rules of SPF check. Here is what you can set up in your SPF record.

+Accept. The host is allowed to send a message+
Reject. The host is not allowed to send a message
~Accept but mark. The host is not allowed to send a message but is in transition (the mechanism is for testing purposes)~
?Accept. The host validity is unstated?
aDefines the DNS A record of the domain as authorized. If unspecified, the current domain is useda
allDefines policy for all other sourcesall
existsChecks validity of an A record for a provided domainexists:<domain>
includeIncludes the specified domain as authorized. If the domain does not have a valid record, you’ll get ‘permerror’include:<domain>
ip4Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /32 is the defaultip4:<ip4-address>
ip6Defines the IPv6 network range. Can be used with prefix, which denotes the range length. If no prefix is specified, /128 is the defaultip6:<ip6-address>
mxDefines the DNS MX record of the domain as authorized. I.e., the message must be sent by one of the domain’s incoming mail
ptr [deprecated]Defines the reverse hostname and subdomain of the sending IP address.ptr
expSpecifies the explanation that a sender will see if the message has been rejectedexp=<domain>
redirectReplaces domain with the current recordredirect=<domain>

What you should keep in mind:

Now, let’s put this knowledge into practice. 

Create an SPF record for your domain

Step 1 – Preparation

Step 2 – DNS control panel

Step 3 – SPF record

ip4: ip6:2a13:c025:e4:7a01:bc72:dcb5:7a13 or

That’s how the most common SPF record looks like:

"v=spf1 a mx -all"

Here, all A and MX records in this domain are authorized to send emails. Emails from anything beyond will be rejected. 

SPF record for multiple domains

Let’s say you have a primary domain – with a record like this one v=spf1 a mx -all. And you need to make an SPF record for multiple domains like and 

The “include” mechanism allows you to designate other domains that are independent from your primary one. For example, might send mail using and

v=spf1 -all

Also, you can point to your primary domain by adding in SPF records of your secondary domains: 

v=spf1 -all

This will apply the rules from the primary domain for the secondary ones. 

Keep in mind that you cannot have more than one TXT record for SPF for a domain.

Can I split a large SPF record?

What if your SPF record looks like this?

v=spf1 a mx ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all

It matches the requirement of 255 characters per string, but still it is very long. Hence, you can split it into several records that will be included in the main SPF record. Here is how it may go: TXT

v=spf1 a mx -all TXT

v=spf1 ip4: ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e -all TXT

v=spf1 -all TXT

v=spf1 -all

That’s it. All these records will be checked as one after the DNS update.

Validate your SPF record

The last thing we advise you to do it to validate your SPF record. Luckily, there are a bunch of actionable tools like SPF Record Check or SPF Syntax Validator. This will troubleshoot your record and prevent the annoyance in the future. 

How to create an SPF record using my DNS provider?

You can create and manage your SPF records using a respective console or control panel of you DNS provider. Some services give detailed instructions or guides on how to create TXT records. Below, you’ll find links to the guides of some top-rated providers. 

Also, we’ve collected a list of SPF specs for popular email providers so you can copy and paste them in your TXT record.

Email service providerSPF record
Gmailv=spf1 ~all
Sendgridv=spf1 ~all
MailChimpv=spf1 ?all
Mandrillv=spf1 ?all
Mailgunv=spf1 ~all

Once you’ve set up your SPF record, you can proceed to DKIM and DMARC protocols, we’ve also explained on the Mailtrap Blog.

Exit mobile version