Authentication
SPF explained: how Sender Policy Framework actually works
SPF lets a receiver ask DNS which servers are allowed to send mail using a given domain. It is the oldest of the three modern authentication standards and the easiest to misconfigure.
What SPF actually does
An SPF record is a TXT record at the apex of your domain that lists the servers (by IP, hostname, or another domain's SPF record) that are allowed to send mail as you. When a receiver gets a message, it checks the envelope sender's domain SPF record against the connecting IP and returns one of: pass, fail, softfail, neutral, permerror, temperror, or none.
The 10-lookup limit
SPF processing is capped at 10 DNS lookups per evaluation. Every include:, a, mx, ptr, exists, and redirect costs at least one lookup. Modern senders blow through this limit easily once they integrate Google Workspace, Microsoft 365, a marketing ESP, and a transactional ESP. The fix is to flatten or consolidate includes — or move marketing/transactional traffic to a subdomain with its own SPF record.
Soft fail vs hard fail
The qualifier on the final mechanism (-all hard fail, ~all soft fail) tells receivers what to do when the IP is not authorised. -all means 'reject', ~all means 'mark as suspicious but accept'. Most senders start at ~all and only flip to -all once they're certain the include list is complete.
SPF alignment for DMARC
SPF passing isn't enough on its own for DMARC — the envelope-from domain has to align with the From: header domain (either exactly or, with relaxed alignment, within the same organisational domain). Most ESPs use their own envelope-from by default; switching to a custom return-path on a subdomain of your From: domain is what makes SPF align.
Frequently asked questions
- Can I have multiple SPF records?
- No. Multiple SPF TXT records cause a permerror. Combine all your includes into a single record.
- Does SPF cover forwarded mail?
- Not reliably. Plain forwarding rewrites the envelope-from and breaks SPF. DKIM and DMARC handle forwarding better than SPF does.