SPF

FAQ

SPF tags and their definitions

TAG TAG DESCRIPTION
v (required) The version tag. is the only allowed value is “spf1”. If it’s incorrect or the tag is missing, the SPF record will be ignored.
ip4 This tag should include all the IPv4 addresses that are allowed to send emails on behalf of the domain.
ip6 This tag should include all the IPv6 addresses that are allowed to send emails on behalf of the domain.
a The A record tag allows the SPF to validate the sender by domain name’s IP address. If left unspecified, it takes the value of the current domain.
mx The MX record tag checks the MX record of the mail server(s). If left unspecified, it takes the value of the current domain.
ptr (Not recommended) The PTR tag prompts a PTR check for client IP hostname(s). It’s a not recommended tag as per RFC 7208, because it spends too many DNS lookups.
exists The exists tag checks if an A record exists or not on the mentioned domain.
include The include tag is of top importance for a correct SPF record. Listing all your sending sources under this tag lets the recipient know that you verify all the aded domains/subdomains as legitimate sources.
all (required) All is a required tag. It should be placed at the end of the SPF record. Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources.

What is the SPF record?

A Sender Policy Framework (SPF) record is a type of DNS TXT record that shows all your email sending sources. (the servers authorized to send emails from a domain).

 

An SPF record identifies the mail servers, services and domains that are allowed to send email on behalf of your domain. Receiving servers check your SPF record to verify that incoming emails that appear to be from your domain are sent from servers allowed by you. Domains can have one SPF record

Examples of common SPF records

Here are some examples of common SPF records:

  1. A basic SPF record that allows the domain’s MX (mail exchange) servers to send email:

    v=spf1 mx ~all

    This record indicates that any server listed in the domain’s MX records is authorized to send email on behalf of the domain.The tilde (~) indicates that the domain’s owner requests that messages that fail SPF checks be marked as a soft fail.
  2. An SPF record that allows a specific IP address to send email:

    v=spf1 ip4:192.0.2.0/24 ~all

    This record allows any server with an IP address in the range 192.0.2.0 to 192.0.2.255 to send email on behalf of the domain. The CIDR notation (/24) indicates the range of IP addresses that are allowed. The tilde (~) again indicates a soft fail.
  3. An SPF record that allows multiple sources to send email:

    v=spf1 a:example.com include:_spf.google.com ~all

    This record allows any server listed in the domain’s A record (example.com) and any server authorized by the SPF record for _spf.google.com to send email on behalf of the domain. The include mechanism allows the domain owner to reference another domain’s SPF record. The tilde (~) again indicates a soft fail.

  4. An SPF record that specifies a hard fail:

    v=spf1 a:example.com -all

    This record allows any server listed in the domain’s A record (example.com) to send email on behalf of the domain. The minus (-) before the all mechanism indicates that any server that fails SPF checks should be treated as a hard fail, which means that the message should be rejected.

SPF Checker

Email has become an essential tool for communication, but it is also a major source of spam, phishing, and other forms of cyber attacks. Sender Policy Framework (SPF) is an email authentication protocol that helps prevent such attacks by verifying that the sender of an email is authorized to use the domain name in the email address. An SPF record is a DNS record that contains a list of authorized IP addresses that are allowed to send emails on behalf of a domain.

 

An SPF checker is a tool that verifies if an email sender has published an SPF record for their domain and if the IP address that is sending the email is authorized to send emails on behalf of that domain. SPF checkers examine the SPF record of the domain in the email’s header and compare the IP address that sent the email to the list of authorized IP addresses in the SPF record. If the IP address is not authorized, the email is flagged as suspicious and is more likely to be blocked or marked as spam.

 

There are several SPF checker tools available online like this one, and they can be used to check the SPF record of any domain. Some of these tools include:

  1. EasyDMARC SPF Checker: This is a free online tool that checks the SPF record of a domain and provides a detailed report on the status of the SPF record.
  2. Google Postmaster Tools: This is a free tool provided by Google that checks the SPF record of a domain and provides a report on the status of the SPF record, along with other email deliverability metrics.
  3. MX Toolbox: This is an old but free online tool that checks the SPF record of a domain and provides a detailed report on the status of the SPF record.
Using an SPF checker tool is important because it helps to prevent email spoofing and phishing attacks. By verifying that the sender of an email is authorized to use the domain name in the email address, SPF checkers can help to reduce the risk of cyber attacks and protect the privacy and security of email users.

Why is SPF important? 

You should use the SPF for 4 main reasons.

  1. To improve your domain security. SPF helps to prevent spoofing (email fraud and spoofing). By defining which sending sources (IP addresses, servies, domains) are authorized to send email on behalf of a domain, an organization can prevent cybercriminals from sending phishing emails (fraudulent or spoofed email) from the organization’s domain.
  2. To improve Email Deliverability. By using SPF, an organization can improve its email deliverability. by ensuring that its legitimate email messages are not marked as spam or rejected by recipient email servers.
  3. To protect domain reputation. When a domain is used to send spam or fraudulent email messages, its reputation can be damaged. This can result in legitimate email messages being marked as spam or rejected by email servers. SPF helps to ensure that its legitimate email messages are not affected by the actions of malicious actors. 
  4. Compliance: In some cases, organizations are required to use SPF in order to comply with regulations or industry standards. For example, the Payment Card Industry Data Security Standard (PCI DSS), GDPR, SOC2 requires that organizations use SPF to protect against email fraud and spoofing. SPF checker can help easily find the issues.

How to create an SPF record?

  1. Determine which IP addresses are authorized to send email on behalf of your domain. This may include your organization’s email servers, third-party email services, and other authorized senders. SPF Checker will show all addresses. 
  2. Write a policy statement that lists the authorized IP addresses. The policy statement should be written in a specific syntax that is recognized by SPF checkers.
  3. Create a DNS record for your domain that includes the policy statement. Here is the example of DNS TXT record

 

v=spf1 include:_spf.example.com -all

 

In this example, the policy statement includes a reference to another domain’s SPF record (denoted by the “include” mechanism) and specifies that all other IP addresses should be considered unauthorized (denoted by the “-all” mechanism).

 

  1. Publish the DNS TXT record by adding it to your domain’s DNS settings. The specific steps for doing this will depend on your domain registrar or DNS provider.
  2. Test your SPF record to ensure that it is working correctly. You can use an SPF checker tool to verify that your record is set up correctly and that your authorized IP addresses are being recognized.

It’s important to note that SPF records can be complex and may require some technical expertise to set up correctly. If you’re unsure about how to create an SPF record for your domain, you may want to consult with a DNS or email expert to ensure that your record is set up correctly.

Common mistakes to avoid

Here are some common mistakes that organizations should avoid when creating an SPF record

  1. Not including all authorized sending IP addresses: An SPF record should include a list of all IP addresses that are authorized to send email on behalf of your domain. If you omit any authorized IP addresses, those email messages may be marked as suspicious or rejected by email servers.
  2. Using incorrect syntax: The syntax of an SPF record is specific and must be entered correctly. Using incorrect syntax can cause email servers to fail to recognize the SPF record, resulting in email messages being marked as suspicious or rejected.
  3. Using overly restrictive rules: If your SPF record is too restrictive, it may prevent legitimate email messages from being delivered. For example, if you use the “-all” mechanism to specify that all other IP addresses should be considered unauthorized, email servers may reject email messages from new or unknown IP addresses that are actually legitimate.
  4. Failing to update the SPF record: If your organization’s sending IP addresses change, it’s important to update your SPF record to reflect those changes. Failing to update your SPF record can result in email messages being marked as suspicious or rejected.
  5. Not testing the SPF record: It’s important to test your SPF record to ensure that it is working correctly. You can use an SPF lookup tool to verify that your record is set up correctly and that your authorized IP addresses are being recognized.
  6. Not including third-party email services: If your organization uses third-party email services to send email on behalf of your domain, it’s important to include those services in your SPF record. Failure to do so can result in email messages being marked as suspicious or rejected by email servers.
  7. Not using additional email authentication protocols: SPF is just one step in your email authentication journey.  That can be used to help prevent email fraud and spoofing. Organizations should also consider using other protocols, such as DKIM and DMARC, to provide additional layers of protection.

SPF 10 DNS lookup problem

The SPF record has 10 DNS lookup limit. The SPF 10 DNS lookup problem occurs when a receiving email server checks the Sender Policy Framework (SPF) record of an incoming email and finds that the record contains more than 10 DNS lookups. You may receive <strong>too many dns lookups</strong> message in this case. The DNS lookups are used to determine if the email has originated from an authorized mail server or not.

The SPF specification limits the number of DNS lookups to 10, so if an SPF record has more than 10 DNS lookups, it may cause delivery issues. If the receiving email server reaches the limit of 10 DNS lookups, it may stop processing the SPF record and consider the email as unauthorized or mark it as spam.

To fix the SPF 10 DNS lookup problem, you need to reduce the number of DNS lookups in your SPF record. Here are a few tips to help you do that:

  1. Use the “include” mechanism: The “include” mechanism allows you to reference another domain’s SPF record, rather than listing its individual IP addresses or hostnames in your own SPF record. This reduces the number of DNS lookups needed, as it counts as a single DNS lookup.
  2. Use the “redirect” mechanism: The “redirect” mechanism allows you to point to another domain’s SPF record, instead of listing your own SPF record. This reduces the number of DNS lookups needed, as it counts as a single DNS lookup.
  3. Use SPF Macros: SPF Macros are placeholders that can be used in SPF records to represent multiple IP addresses or domains in a single mechanism, which reduces the number of DNS lookups needed.
  4. Use an SPF Flattening Service: SPF Flattening services like can help reduce the number of DNS lookups by consolidating all of the SPF mechanisms and includes into a single SPF record.

By reducing the number of DNS lookups in your SPF record, you can avoid the SPF 10 DNS lookup problem and improve email deliverability.

What is flattening a SPF record?

Sender Policy Framework (SPF) flattening is a technique used to simplify and optimize SPF records, which are used to prevent email spoofing. Traditionally, SPF records were created by listing all the IP addresses and domains authorized to send email on behalf of a domain. However, this can lead to large, complex SPF records that are difficult to manage and can cause problems with DNS lookups and mail server processing. SPF flattening addresses these issues by “flattening” the SPF record, consolidating it into a single domain that lists all authorized senders. This can simplify the SPF record and reduce the number of DNS lookups required to validate emails, improving email delivery and reducing the risk of email being marked as spam or rejected.
It’s important to note that SPF flattening can cause issues with email forwarding and other mail handling processes, so it’s important to carefully consider the potential impact before implementing SPF flattening. Additionally, SPF flattening should only be done by someone who is experienced with SPF and DNS, as mistakes can cause issues with email delivery.

What is PermError SPF Permanent Error?

PermError (short for “Permanent Error”) is a term used in the context of email authentication to describe an error that occurs when a sender’s domain attempts to use the Sender Policy Framework (SPF) mechanism to verify that an email message came from an authorized source, but the SPF record for the domain cannot be evaluated correctly. A PermError occurs when the SPF record for the sender’s domain is syntactically incorrect, does not exist, or cannot be retrieved from the DNS server due to an error. This means that the recipient’s mail server is unable to determine if the email is legitimate, and may reject it or mark it as spam as a result. This SPF lookup tool helps you to identify permerror and give suggestions how to solve it.

Why to use SPF records check tool?

An SPF (Sender Policy Framework) records check tool is a useful resource for anyone who sends emails from a domain. Here are some reasons why you might want to use an SPF records check tool:

  1. Improved Email Deliverability: SPF syntax validator helps ensure that your emails reach their intended recipients’ inboxes. SPF records verify the identity of the sender and help protect against email spoofing, which can negatively impact email deliverability.
  2. Identify Issues with SPF Records: SPF record validator can help you identify any issues with your SPF record that might prevent emails from being delivered. By identifying and fixing these issues, you can improve your email deliverability avoid having your emails end up in recipients’ spam folders.
  3. Easy to Use: SPF record checker is typically user-friendly and easy to use, even if you don’t have technical expertise. You simply enter your domain name and the tool checks your SPF record for any issues.
  4. Industry Best Practices: SPF records are an industry best practice for email authentication, and using an SPF record check tool can help ensure that your domain is configured correctly. This can be especially important if you are sending marketing or promotional emails, as you want to make sure they are delivered to the recipient’s inbox.

How can you check SPF lookup limit?

SPF lookups are DNS queries performed by a mail server to determine if an email message is authorized to be sent from a particular domain. Each SPF record can contain multiple mechanisms and modifiers, and each of these can potentially require a separate DNS lookup, which can add up and exceed the maximum limit set by the recipient’s mail server. The maximum limit for SPF lookups is usually defined by the recipient’s mail server and can vary depending on the server’s configuration. Some mail servers may have a limit of 10 or 15 lookups, while others may allow more.
To check the SPF lookup limit for a specific mail server, you can perform an SPF lookup for a domain that includes a large number of SPF mechanisms and modifiers, such as:

				
					dig +short TXT example.com
				
			

This command will retrieve the SPF record for the domain “example.com” and display its contents. If the record contains many mechanisms and modifiers, the resulting DNS response may exceed the lookup limit set by the recipient’s mail server, and some of the mechanisms may not be evaluated.To check if a specific email message has exceeded the SPF lookup limit for a recipient’s mail server, you can analyze the message headers and look for any errors or warnings related to SPF evaluation. Some email clients and tools may also provide more detailed information about the SPF evaluation process and any lookup limits that were encountered.

Testing and troubleshooting

Testing and troubleshooting your SPF record can help ensure that it is working correctly and that your authorized sending IP addresses are being recognized. Here are some tips for testing and troubleshooting your SPF record:

Use an SPF checker: This tool and the other free spf check lookup tools can help you test your SPF record. These tools will analyze your SPF record and let you know if there are any issues that need to be addressed.
Monitor email deliverability: If you notice that some email messages are being marked as suspicious or rejected by email servers, this may be an indication that there is a problem with your SPF record. Monitor your email deliverability and investigate any issues that arise.
Check DNS settings: Ensure that the SPF record is correctly published in your domain’s DNS settings. Use a DNS lookup tool to verify that the SPF record is correctly configured and accessible.
Review the policy statement: Double-check the policy statement in your SPF record to ensure that it lists all of the authorized sending IP addresses and uses the correct syntax.
Check for conflicts with other email authentication protocols: Ensure that there are no conflicts between your SPF record and other email authentication protocols, such as DKIM and DMARC. These protocols work together to provide additional layers of email authentication and security. You can use any DKIM check tool or DMARC check tool to validate your other records.
Test with different email clients and services: Test your SPF record with different email clients and services to ensure that it is working correctly across all platforms. This can help identify any issues that may be specific to certain email clients or services.
Consult with a DNS or email expert: If you are having difficulty testing or troubleshooting your SPF record, consider consulting with a DNS or email expert who can help you identify and resolve any issues.

SPF Protocol Adoption

SPF (Sender Policy Framework) has been widely adopted as an email authentication protocol since its introduction in 2003. It has become a standard feature of most email service providers and is supported by most email clients and servers.

According to data from the Anti-Phishing Working Group, as of 2021, SPF is the most widely adopted email authentication protocol, with adoption rates of over 91%. This represents a significant increase from previous years, indicating that SPF adoption continues to grow.

SPF adoption is particularly high among large organizations and email service providers, which have a greater need for email security and are more likely to implement robust email authentication policies. However, smaller organizations and individual users may not be as aware of the importance of email authentication and may not have implemented SPF.

Overall, while SPF adoption is high among large organizations and email service providers, there is still room for improvement, particularly among smaller organizations and individual users. Continued education and awareness-raising efforts, free SPF Checker tools are needed to encourage broader adoption of SPF and other email authentication protocols to improve the security and authenticity of email communications.

SPF protocol in 2025

SPF has already been widely adopted by many email service providers and organizations to prevent email spoofing and phishing attacks, and it is likely that this trend will continue. Additionally, regulatory bodies such as the EU’s GDPR and California’s CCPA have highlighted the need for strong data protection measures, including email security, which may further drive adoption of email authentication protocols like SPF.

However, it is important to note that email-based threats such as phishing and spam are constantly evolving, and email authentication protocols like SPF may need to be updated or augmented to address new threats. In particular, SPF is limited in its ability to prevent attacks that use domain spoofing, where the attacker creates a domain that is similar to a legitimate one.

Overall, we believe that SPF will remain an important email authentication protocol in 2025, but organizations and email providers will need to continue to stay vigilant and adapt to new threats to maintain the security and authenticity of email communications.

What is an SPF record for email?

An SPF (Sender Policy Framework) record for email is a type of DNS (Domain Name System) record that is used to specify which IP addresses are authorized to send email for a particular domain. It is an email authentication mechanism that helps prevent email spoofing, which is when an attacker sends an email that appears to come from a legitimate sender, but actually originates from a fraudulent source.

The SPF record is published in the DNS zone file for the domain, and it contains a list of IP addresses or IP address ranges that are authorized to send email on behalf of the domain. When an email is received by a mail server, the server performs a DNS lookup to retrieve the SPF record for the sender’s domain. The SPF record is then checked to verify if the IP address of the sending server is authorized to send email for the domain.

If the IP address is authorized, the email is accepted, and if not, it is rejected or marked as spam. This helps to prevent email spoofing and improve the security of email communications.

SPF records can also include other mechanisms, such as include and redirect, to specify additional authorized IP addresses and domains. For example, an SPF record might include the IP addresses of a third-party email service provider that sends email on behalf of the domain.

Overall, an SPF record is an important component of email authentication and helps to ensure that only authorized senders can send email on behalf of a domain, reducing the risk of email-based attacks such as phishing and spam.

What is the use of an SPF record?

The main use of an SPF (Sender Policy Framework) record is to improve email deliverability and prevent email spoofing. An SPF record is a DNS (Domain Name System) record that specifies which IP addresses are authorized to send email on behalf of a particular domain.

When an email is received by a mail server, the server performs a DNS lookup to retrieve the SPF record for the sender’s domain. The SPF record is then checked to verify if the IP address of the sending server is authorized to send email for the domain. If the IP address is authorized, the email is accepted, and if not, it is rejected or marked as spam.

This helps to prevent email spoofing, which is when an attacker sends an email that appears to come from a legitimate sender, but actually originates from a fraudulent source. By specifying which IP addresses are authorized to send email on behalf of a domain, an SPF record helps ensure that legitimate emails are delivered to the intended recipient, while fraudulent emails are rejected or marked as spam.

In addition to improving email deliverability and preventing email spoofing, an SPF record can also help to enhance email security by preventing email-based attacks such as phishing and spam.

Overall, an SPF record is an important component of email authentication and helps to ensure that only authorized senders can send email on behalf of a domain, reducing the risk of email-based attacks and improving the security of email communications.

What are the best email deliverability practices to follow?

There are several best email deliverability practices that can help ensure that your emails are delivered to the recipient’s inbox and not marked as spam. Here are some of the most important ones:

  1. Use a reputable email service provider (ESP): Choose a reliable ESP that has a good reputation and strong deliverability rates. This can help ensure that your emails are not blocked or marked as spam by mailbox providers.
  2. Build a clean email list: Only send emails to recipients who have opted-in to receive them, and regularly clean your email list to remove inactive or invalid email addresses. This can help reduce the likelihood of emails being marked as spam or triggering spam filters.
  3. Authenticate your emails: Implement email authentication protocols such as SPF, DKIM, and DMARC to verify your domain and email messages, and help prevent email spoofing.
  4. Use a recognizable sender name and email address: Use a sender name and email address that recipients will recognize and trust. This can help improve open rates and reduce the likelihood of emails being marked as spam.
  5. Write engaging subject lines and email content: Craft subject lines and email content that are engaging, informative, and relevant to the recipient. This can help improve open rates and reduce the likelihood of emails being marked as spam.
  6. Optimize your email design and formatting: Use responsive email design and formatting to ensure that your emails look great on all devices and are easy to read. This can help improve engagement and reduce the likelihood of emails being marked as spam.
  7. Monitor your email metrics: Monitor your email metrics such as open rates, click-through rates, and bounce rates to identify issues and improve your email campaigns over time.

By following these best email deliverability practices, you can help ensure that your emails are delivered to the recipient’s inbox, improve engagement rates, and reduce the likelihood of emails being marked as spam or triggering spam filters.

How to find SPF records for a domain?

  1. Go to a DNS lookup tool website such as SPF-Checker.org In the search box, enter the domain name for which you want to find the SPF record.
  2. Click on the “Search” or “Lookup” button.
  3. The tool will then retrieve and display the SPF record for the domain, if one exists. The SPF record will typically be displayed in a text format that shows the authorized IP addresses or IP address ranges that are allowed to send email on behalf of the domain. Alternatively, if you have access to the command line interface of your computer, you can use the “nslookup” command to retrieve the SPF record for a domain. Here are the steps to do so:
 
  1. Open the command prompt or terminal on your computer.
  2. Type “nslookup -type=txt” followed by a space and the domain name for which you want to find the SPF record. For example, “nslookup -type=txt example.com”.
  3. Press Enter to execute the command.
  4. The command will then retrieve and display the SPF record for the domain, if one exists. The SPF record will typically be displayed in a text format that shows the authorized IP addresses or IP address ranges that are allowed to send email on behalf of the domain.

By using these methods, you can easily find the SPF record for a domain and ensure that it is properly configured to protect against email spoofing and other email-based attacks.