Email Security (DMARC+)

What is SPF?

What is SPF?

What is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication standard that specifies which mail servers are authorised to send email on behalf of your domain.

When you send an email, the receiving mail server looks up your domain's SPF record to check whether the server that sent the email is on your approved list. If it's not, the email fails SPF.

How SPF works

  1. You publish an SPF record in your domain's DNS — it looks like this:

    v=spf1 include:_spf.google.com include:mailgun.org ip4:203.0.113.5 -all

  2. When someone receives an email claiming to be from your domain, their mail server:

    • Looks up your domain's SPF record
    • Checks whether the sending IP matches any of the authorised sources
    • Returns a result: Pass, Fail, SoftFail, Neutral, or PermError

  3. The receiving server uses that result (along with DKIM and DMARC) to decide what to do with the email.

SPF record syntax

Mechanism Meaning
v=spf1 Required — declares this is an SPF record
include:domain.com Authorise all IPs in another domain's SPF record
ip4:x.x.x.x Authorise a specific IPv4 address or range
ip6:... Authorise a specific IPv6 address or range
a Authorise the domain's own A record IP
mx Authorise the domain's own MX record IPs
-all Hard fail — reject all email not matching the above
~all Soft fail — mark suspicious but don't reject
?all Neutral — no policy (not recommended)

SPF and DMARC alignment

For DMARC to consider SPF a pass, SPF must not just pass — it must also align. This means the domain in the email's Return-Path (envelope from) must match the From: header domain.

This is important because SPF alone can be passed by a forwarder or intermediary that changes the Return-Path — DMARC alignment closes that loophole.

Common SPF problems

Email failing SPF despite a valid record Usually caused by a sending service not included in the record. When you add a new service (e.g., Mailchimp, Zendesk, Salesforce), you must add its SPF include to your record.

PermError (too many lookups) SPF allows a maximum of 10 DNS lookups. Each include: costs one lookup. When this limit is exceeded, SPF returns PermError and emails fail. Fix by removing unused includes or flattening IP ranges.

Email failing SPF alignment The Return-Path domain doesn't match your From: domain. Common when using third-party senders. Fix by configuring the service to use a subdomain that you own, or by adding CNAME records to align the envelope domain.

Checking your SPF record

Use the SPF Explorer in DMARC+ to:

  • View your full SPF record and all its included ranges
  • Check for errors and lookup limit issues
  • Identify which services are authorised to send from your domain