Early AccessWe're giving lifetime free access to our first users - no credit card, no catch.Claim your spot →
← Blog/Authentication

What Is an SPF Record? (And Why Every Email Sender Needs One)

June 13, 2025·5 min read·By MailPilot

An SPF record (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain. When an email arrives claiming to be from your domain, the receiving server checks your SPF record to verify the sending server is legitimate. If the server isn't listed, the email may be flagged as spam or rejected.

Why SPF Matters

Without an SPF record, anyone can send email from your domain. Spammers frequently forge "From" addresses using legitimate company domains - a practice called email spoofing. SPF is the primary technical defense against this. Beyond security, SPF is now a mandatory requirement for any sender sending more than 5,000 emails/day to Gmail accounts under Google's 2024 sender requirements.

How SPF Works

When a mail server receives an email from user@yourdomain.com, it looks up the TXT records for yourdomain.com, finds your SPF record, and checks whether the sending server's IP address appears in the authorized list. If it does: SPF pass. If it doesn't: SPF fail or softfail, depending on your policy.

What an SPF Record Looks Like

A typical SPF record for a business using Google Workspace looks like this:

v=spf1 include:_spf.google.com ~all

Breaking this down:

  • v=spf1 - declares this is an SPF record
  • include:_spf.google.com - authorizes all servers in Google's SPF record
  • ~all - softfail for any server not listed (treat with suspicion but don't reject)

If you also send through SendGrid, Mailchimp, or another ESP, you add their include statement:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

SPF Policy Qualifiers

  • -all (fail) - Reject all servers not listed. Strictest. Use only when you are certain all your sending sources are listed.
  • ~all (softfail) - Mark as suspicious but don't reject. Recommended starting point.
  • ?all (neutral) - No policy statement. Equivalent to having no SPF at all. Not recommended.
  • +all - Allow all. Never use this - it completely defeats the purpose of SPF.

SPF Limitations

SPF checks the Return-Path (envelope sender), not the "From" header you see in your email client. This means SPF alone doesn't prevent phishing from your domain - DMARC alignment is needed to tie SPF results to the visible From address. Additionally, each domain can have only one SPF record, and you're limited to 10 DNS lookups within it (the "10 lookup limit"). Exceeding this causes SPF permerror.

How to Add an SPF Record

SPF records are added as TXT records in your domain's DNS manager:

  • Host/Name: @ (the root domain)
  • Type: TXT
  • Value: Your SPF record (e.g., v=spf1 include:_spf.google.com ~all)
  • TTL: 3600 (1 hour)

After adding it, verify propagation with a free SPF lookup tool or use MailPilot's built-in DNS health checker, which validates SPF, DKIM, and DMARC on every connected domain automatically.

MailPilot

Ready to reach the inbox every time?

Automated email warmup across real peer mailboxes. Live inbox placement monitoring. Free 14-day trial - no credit card required.

Start free trial
Reach the Inbox, Every Time
Connect unlimited inboxes for warmup. Free 14-day trial, no credit card.
Try for Free
WORKS WITH
OZOHO
inbox placement99.2%
free trial14-day
companies trust us340+

Start for free - no credit card required.

Get started freeBook a demo