autoemail

Glossary

What Is SPF (Sender Policy Framework)?

SPF (Sender Policy Framework) is an email authentication standard that publishes, in your domain's DNS, the list of mail servers allowed to send email on its behalf. When a message arrives, the receiving server checks whether it came from an authorized server and uses the result to detect forgeries.

SPF is the oldest of the three core email authentication standards. It answers one question for a receiving server: is the server that sent this message actually allowed to send mail for the domain it claims? You answer that question in advance by publishing a single DNS TXT record that names your authorized senders.

An SPF record is a TXT record on your domain that looks like v=spf1 include:_spf.google.com include:sendgrid.net ~all. Each mechanism authorizes a source: include: pulls in another provider's authorized servers (Google Workspace, your ESP, your outreach tool), ip4: or ip6: name specific addresses, and a: or mx: authorize your domain's own hosts. The record ends with an all mechanism that says how to treat everyone else: ~all is a soft fail (accept but mark suspicious) and -all is a hard fail (reject). When mail arrives, the receiver looks up the SPF record for the domain in the message's return-path (the envelope sender) and checks the sending IP against it.

SPF matters for deliverability because it is one of the first trust signals a mailbox provider reads. A passing, aligned SPF result tells the provider the message is not a forgery; a missing or failing record makes you look like a spoofer and pushes you toward the spam folder. SPF is also one of the two checks DMARC relies on, so you cannot reach a strong DMARC policy without it.

Two mistakes account for most SPF problems. First, the 10-DNS-lookup limit: every include counts against a hard cap of 10 lookups, and exceeding it makes the whole record return permerror and effectively fail. Keep your includes lean and flatten where you can. Second, only one SPF record is allowed per domain - publishing two TXT records starting with v=spf1 invalidates both, so when you add a new sending service you merge its include into the existing record rather than creating a second one. Note that SPF breaks on forwarding (the forwarding server is not on your list), which is exactly why DKIM and DMARC exist alongside it.

Key points

  • SPF is one DNS TXT record listing the servers allowed to send for your domain.
  • Receivers check the sending IP against it to catch forged senders.
  • It ends with ~all (soft fail) or -all (hard fail) for unlisted servers.
  • There is a hard limit of 10 DNS lookups - too many include: entries cause it to fail.
  • Only one SPF record per domain: merge new services into it, never add a second.

Frequently asked questions

It is a single DNS TXT record beginning with v=spf1, followed by mechanisms that authorize senders and a closing all rule. For example: v=spf1 include:_spf.google.com include:sendgrid.net ~all authorizes Google Workspace and SendGrid and soft-fails everyone else.

Keep reading

What is DKIM?The signature that survives forwarding where SPF does not.What is DMARC?The policy layer that checks SPF alignment.Free SPF / DKIM / DMARC checkerValidate your SPF record and lookups - no signup.Why your emails go to spamHow authentication fits the full deliverability picture.AutoEmail pricingAI email that scores deliverability before you send.
autoemail

Put AI on every reply. Keep yourself in the loop.

Connect one inbox, watch AutoEmail draft every reply, and approve before anything sends. Free to start, no card required.

Start freeSee pricing

30-day money-back guarantee

Try any paid plan risk-free. If AutoEmail is not saving you time inside 30 days, email us and we refund you in full - no forms, no friction.