An SPF (Sender Policy Framework) record is a TXT record in your DNS that lists the servers allowed to send email on behalf of your domain. Receiving mail servers check it to help decide whether a message is genuine or spoofed.
SPF is the first of the three core email-authentication standards. Published as a single DNS TXT record, it tells the world which IP addresses and services may send mail using your domain, so forged messages are more likely to be rejected or marked as spam.
Check your website
See how your site handles spf records: stopping others from spoofing your email — free, no account needed.
For business owners
Without SPF, anyone can send email that appears to come from your domain — a favourite tactic for phishing and invoice fraud that damages your brand and lands you in spam folders. A correct SPF record protects your reputation, improves the deliverability of your legitimate email (newsletters, receipts, password resets) and is a prerequisite for the DMARC policy that ties everything together.
How it works (technical)
SPF is a single DNS TXT record on your root domain, for example:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Key mechanisms: include: authorises another provider's servers, ip4:/ip6: authorise specific addresses, and the all qualifier at the end sets the default — -all (hard fail, reject others), ~all (soft fail, accept but mark) or ?all (neutral). A domain may publish only one SPF record, and evaluation must resolve within 10 DNS lookups or it returns permerror.
Real-world example
A company used Google Workspace plus a separate marketing platform, but its SPF record only listed Google. Every campaign from the marketing tool failed SPF and a chunk of it went to spam. Adding the marketing provider's include: to the single SPF record restored deliverability overnight.
Why it matters
SPF underpins email trust and deliverability, and it is required for DMARC to pass. Scanners check that exactly one valid SPF record exists, stays within the 10-lookup limit, and ends with a sensible all qualifier.
How to fix it
Publish one
TXTrecord on your domain starting withv=spf1.Add an
include:for every service that sends mail as you (email host, CRM, marketing, ticketing).End with
~all(soft fail) while testing, then tighten to-allonce confident.Keep total DNS lookups at 10 or fewer — flatten or consolidate includes if you exceed it.
Never publish two SPF records; merge them into one.
Best practices
Maintain a single, authoritative SPF record and review it whenever you add a sending service.
Aim for
-allin production so unauthorised servers are rejected outright.Pair SPF with DKIM and DMARC — SPF alone does not fully protect your domain.
Common mistakes
Publishing more than one SPF record (this invalidates SPF entirely).
Exceeding the 10-DNS-lookup limit, causing a permerror and silent failures.
Leaving
?allor forgetting the all qualifier, which offers little protection.
Frequently asked questions
Can I have two SPF records?
No. A domain must have exactly one SPF TXT record. Multiple records cause a permerror and break authentication. Combine all senders into a single record.
Does SPF stop all spoofing?
No. SPF checks the envelope sender and breaks on forwarding. It must be combined with DKIM and DMARC for full protection of the visible From address.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free