SPF · RFC 7208
SPF: declaring who is allowed to send
SPF (Sender Policy Framework) publishes in your DNS the list of servers allowed to send for your domain. On receipt, the server compares the sending IP to that list. The check is on the envelope (the MAIL FROM / Return-Path domain), not the visible From: header.
The DNS record
A single TXT record at the domain root:
your-domain.com. IN TXT
"v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all"- include: — delegates authorization to another domain (your ESP, your mail provider).
- ip4: / ip6: — authorizes an IP or block directly.
- a / mx — authorizes the IPs of the domain’s A / MX records.
- The final qualifier: -all (strict reject), ~all (softfail), ?all (neutral).
The 10-lookup trap
Evaluating an SPF record must not trigger more than 10 DNS lookups (each include, a, mx counts). Beyond that, the result is permerror and SPF fails. With several providers you hit the limit fast — you then have to flatten some includes into IPs.
Common pitfalls
- • Two SPF records on the same domain → permerror. There must be exactly one, merging all sources.
- • +all → authorizes the entire world. Never publish it.
- • SPF alone does not protect the visible From: — you need DMARC for alignment.