Sender Policy Framework (SPF)
Why SPF Is Important
Without SPF, anyone can send email that appears to come from your domain. Attackers routinely spoof sender addresses to make phishing emails look legitimate. An email from admin@yourdomain.com is much more convincing when your domain has no SPF record to contradict the forgery.
SPF alone does not prevent spoofing because it only checks the envelope sender (the Return-Path), not the From header that users see. This is why SPF must be combined with DKIM and DMARC for complete email authentication. SPF handles the "who is allowed to send" question, DKIM handles "is the message intact," and DMARC ties them together with a policy.
A common SPF mistake is exceeding the 10 DNS lookup limit. SPF evaluation requires resolving include, a, mx, and redirect mechanisms, and the spec limits this to 10 lookups. Exceeding this limit causes SPF to return a permanent error (PermError), which many receivers treat the same as a fail. Flattening SPF records or reducing includes helps stay within the limit.
Configuration Reference
| SPF Mechanism | Purpose | Example |
|---|---|---|
| include | Authorize third-party senders | include:_spf.google.com |
| ip4 | Authorize specific IPv4 | ip4:192.168.1.0/24 |
| a | Authorize domain's A record IPs | a:mail.example.com |
| mx | Authorize domain's MX IPs | mx |
| ~all | Soft fail non-matching | Recommended during testing |
| -all | Hard fail non-matching | Recommended for production |
Checking Your Setup
Use a DNS health checker to verify your SPF record is present, syntactically correct, and within the 10-lookup limit. The tool validates each mechanism in the record and checks that all included domains resolve correctly. Run a check after adding any new email sending service.