Home/ Glossary/ SPF Record Syntax

SPF Record Syntax (SPF Record)

Security Glossary - Email Authentication

Definition: An SPF record is a TXT record in DNS that defines the authorized sending sources for a domain's email. The record starts with v=spf1 and contains mechanisms (ip4, ip6, include, a, mx) that specify allowed senders, and a qualifier (all) that defines the default policy for unlisted sources.

Why SPF Record Is Important

Correct SPF record syntax is critical because malformed records are either ignored or cause authentication failures. A single typo can invalidate the entire record, leaving your domain without SPF protection. Common syntax errors include missing the v=spf1 prefix, extra spaces, or incorrect mechanism formatting.

The include mechanism is the most common way to authorize third-party email services. Each include adds a DNS lookup, and the SPF specification limits total lookups to 10. Exceeding this limit causes a PermError, which many receivers treat as a fail. This is the most common SPF configuration problem for domains using multiple email services.

The all mechanism at the end defines what happens to emails from unlisted sources. -all (fail) is the strongest, ~all (softfail) is moderate, ?all (neutral) is effectively no policy, and +all (pass) should never be used as it authorizes everyone. Use -all once you are confident all legitimate sources are listed.

Checking Your Setup

A DNS health checker validates your SPF record syntax, counts DNS lookups (flagging if near or over the 10-lookup limit), and verifies each mechanism resolves correctly. Run this check every time you add a new email service.

Check DNS Health

Common Questions About SPF Record

Can I have multiple SPF records?
No. The SPF specification requires exactly one SPF TXT record per domain. Multiple SPF records cause a PermError and authentication failure. If you need to add more authorized senders, modify your existing SPF record rather than adding a second one.
What does include: do in an SPF record?
The include mechanism tells the receiver to also check the referenced domain's SPF record. For example, include:_spf.google.com adds all of Google's sending IPs to your authorized senders. Each include consumes one or more of your 10 DNS lookup limit.

See Also

Sender Policy Framework SPF 10 DNS Lookup Limit TXT Record (Text Record) DomainKeys Identified Mail Domain-based Message Authentication, Reporting and Conformance
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.