Most email senders know they need SPF. Very few understand what it actually does or how it protects their domain.<\/p>\n\n\n\n
The result is predictable. Broken records, failed authentication, and emails landing in spam for reasons nobody can diagnose.<\/p>\n\n\n\n
I run TrulyInbox, an email warm-up tool. I have seen hundreds of domains with misconfigured SPF records. The patterns are always the same.<\/p>\n\n\n\n
This is not a DNS tutorial written by a security vendor. It is a practical guide for people who send email for a living.<\/p>\n\n\n\n
In this blog, I will cover what SPF is, how it works, how to create your record, the 10-lookup limit, and common mistakes. I will also explain how SPF fits with DKIM and DMARC.<\/p>\n\n\n\n
SPF stands for Sender Policy Framework. It is a DNS TXT record that lists which servers can send email on behalf of your domain.<\/p>\n\n\n\n
When someone receives an email from your domain, their server checks your SPF record. It compares the sending server’s IP against your authorized list. If it matches, SPF passes. If not, the email gets flagged or rejected.<\/p>\n\n\n\n
Without SPF, anyone can spoof your domain. That opens the door to phishing, spam complaints, and serious deliverability damage.<\/p>\n\n\n\n
Here is what a basic SPF record looks like:<\/p>\n\n\n\n
v=spf1 include:_spf.google.com ~all<\/p>\n\n\n\n
Two constraints you need to know right away. You can only have one SPF record per domain. And SPF allows a maximum of 10 DNS lookups before it breaks.<\/p>\n\n\n\n
SPF alone does not cover everything. DKIM and DMARC complete the authentication stack. But for cold emailers and marketers, SPF is not optional. It is the bare minimum.<\/p>\n\n\n\n
Below, I will break down exactly how SPF works, show you how to build your record, and walk through the mistakes I see most often.<\/p>\n\n\n\n
SPF stands for Sender Policy Framework. It is a DNS TXT record published on your domain that tells receiving servers which IP addresses and servers you authorize to send email on your behalf.<\/p>\n\n\n\n
Think of it as a guest list for your domain. Only servers on that list get permission to send email as you.<\/p>\n\n\n\n
Every major inbox provider checks SPF. Gmail, Outlook, Yahoo, and others all verify SPF before deciding where to place your email.<\/p>\n\n\n\n
The standard was formalized as RFC 7208. But you do not need to read the RFC to use SPF correctly.<\/p>\n\n\n\n
Here is what matters for email senders:<\/p>\n\n\n\n
Most guides explain SPF from the DNS admin’s perspective. That is not who this blog is for. If you send cold emails, marketing campaigns, or transactional messages, SPF directly affects whether your emails reach the inbox.<\/strong><\/p>\n\n\n\n SPF authentication follows a straightforward process. Every time you send an email, the receiving server runs a quick check behind the scenes.<\/p>\n\n\n\n Here is the step-by-step flow:<\/p>\n\n\n\n One critical misconception trips up most senders. SPF checks the return-path domain, not the visible “From” address.<\/strong> These are often different, and this distinction causes most SPF confusion.<\/p>\n\n\n\n The return-path is a hidden email header<\/u><\/a> that tells servers where to send bounce notifications. Your recipients never see it. But SPF only cares about this header.<\/p>\n\n\n\n So if your return-path domain does not have SPF set up, authentication fails. It does not matter what your “From” address says.<\/p>\n\n\n\n After the SPF check runs, the receiving server gets one of five results. Each one triggers a different response.<\/p>\n\n\n\n For deliverability, Pass and Fail matter most.<\/em> SoftFail is a gray zone that Gmail and Outlook increasingly treat like a Fail.<\/p>\n\n\n\n When SPF fails on Gmail, the email does not always bounce. It often lands in spam with a warning banner. That is worse than a bounce because your sender reputation takes the hit silently.<\/p>\n\n\n\n If you are seeing bounced emails<\/u><\/a> or unexplained spam placement, check your SPF result first. It is the fastest diagnostic step.<\/p>\n\n\n\n An SPF record looks intimidating at first glance. But once you break it down, every piece has a clear purpose.<\/p>\n\n\n\n Here is an example:<\/p>\n\n\n\n v=spf1 ip4:192.0.2.1 include:_spf.google.com ~all<\/p>\n\n\n\n Let me walk through each component:<\/p>\n\n\n\n The last part of the record is the “all” mechanism. It tells servers what to do with senders not listed in the record:<\/p>\n\n\n\n You can use the SPF record generator<\/u><\/a> on TrulyInbox to build your record without memorizing this syntax.<\/p>\n\n\n\n No SERP competitor provides ready-to-use SPF records for common email stacks. Here are the ones I use and recommend.<\/p>\n\n\n\n Google Workspace only:<\/strong><\/p>\n\n\n\n v=spf1 include:_spf.google.com -all<\/p>\n\n\n\n Microsoft 365 only:<\/strong><\/p>\n\n\n\n v=spf1 include:spf.protection.outlook.com -all<\/p>\n\n\n\n Google Workspace + a cold email tool (e.g., SendGrid):<\/strong><\/p>\n\n\n\n v=spf1 include:_spf.google.com include:sendgrid.net -all<\/p>\n\n\n\n Multi-service stack (Google Workspace + Brevo + Help Scout):<\/strong><\/p>\n\n\n\n v=spf1 include:_spf.google.com include:spf.brevo.com include:helpscoutemail.com -all<\/p>\n\n\n\n Notice each record uses -all at the end. I recommend HardFail for any domain that has verified all its sending services. Start with ~all only if you are still testing.<\/p>\n\n\n\n Also notice that every record is a single line. You cannot split SPF across multiple TXT records. One domain, one SPF record.<\/p>\n\n\n\n Creating an SPF record is not complicated. But you need to be methodical. Miss one sending service and those emails fail authentication.<\/p>\n\n\n\n Here is the step-by-step process:<\/p>\n\n\n\n I recommend verifying immediately after publishing. If your record has a syntax error, you will catch it faster.<\/p>\n\n\n\n For the complete setup process including DKIM and DMARC, check out this guide on how to set up SPF, DKIM, and DMARC<\/u><\/a>.<\/p>\n\n\n\n Before you create a new SPF record, check whether one already exists. Having two SPF records on the same domain causes both to fail with a PermError.<\/p>\n\n\n\n You can check using these methods:<\/p>\n\n\n\n If a record already exists, modify it.<\/em> Do not create a second one. Add your new include values to the existing record.<\/p>\n\n\n\n This is the most under-discussed SPF issue for email senders. And it is the #1 reason SPF records break silently at scale.<\/p>\n\n\n\n SPF allows a maximum of 10 DNS lookups per record. The RFC 7208 specification enforces this limit to prevent DNS abuse.<\/p>\n\n\n\n Here is what counts toward the limit:<\/p>\n\n\n\n Here is what does not count:<\/p>\n\n\n\n If your record exceeds 10 lookups, SPF returns a PermError.<\/strong> That means SPF fails for every single email you send. Not just some. All of them.<\/p>\n\n\n\n The tricky part is that your SPF record can look perfectly correct on paper. But if the nested includes push you past 10, it breaks without warning.<\/p>\n\n\n\n I have seen domains running 4 to 5 email tools blow past the 10-lookup limit without realizing it. Their SPF looked correct in the DNS panel. But every email was failing authentication silently.<\/p>\n\n\n\n If you are using multiple sending services, this is worth checking today. Especially if you run a shared IP vs dedicated IP<\/u><\/a> setup with several tools.<\/p>\n\n\n\n If you are hitting the 10-lookup limit, here are practical ways to bring the count down:<\/p>\n\n\n\n The simplest fix is usually the second one.<\/em> Most senders have at least one outdated include from a tool they stopped using months ago.<\/p>\n\n\n\n I have audited hundreds of domains through running TrulyInbox. These seven mistakes show up again and again.<\/p>\n\n\n\n DNS allows only one SPF record per domain. If you add a second one, both fail with a PermError. Combine all your senders into a single record.<\/p>\n\n\n\n This tells receiving servers to accept email from any IP. It completely disables SPF protection. Never use +all under any circumstances.<\/p>\n\n\n\n Your CRM, helpdesk, transactional service, etc., all send email.<\/p>\n\n\n\n If any of these are missing from your SPF record, those emails fail authentication.<\/p>\n\n\n\n Take 10 minutes to list every tool that sends from your domain. Cross-reference that list with your SPF record.<\/p>\n\n\n\n I covered this in detail above. But it belongs on this list because it is the most common silent failure. Check your lookup count using an SPF lookup tool.<\/p>\n\n\n\n If you moved from one email tool to another, update your SPF record. The old include is a security risk. The new tool’s emails will fail without its include.<\/p>\n\n\n\n SPF checks the return-path domain. If your return-path uses a different domain than your From address, you need SPF on the return-path domain. Verify which domain your sending tools actually use for the return-path.<\/p>\n\n\n\n SPF only validates the return-path domain. It does not verify the visible From header. Full “From” address protection requires DMARC alignment on top of SPF.<\/p>\n\n\n\n If you want protection against spoofing, you also need to watch for email blacklist<\/u><\/a> issues.<\/p>\n\n\n\n SPF validates the sending server. It does not validate the email content or the visible From address. And it breaks completely on forwarding.<\/p>\n\n\n\n That is why SPF is just one piece of the authentication stack. DKIM and DMARC fill the gaps SPF leaves open.<\/p>\n\n\n\n Here is how the three work together:<\/p>\n\n\n\n The major inbox providers now require all three:<\/p>\n\n\n\n SPF is step one, not the whole solution.<\/strong> Without DKIM, your emails have no integrity verification. Without DMARC, you have no policy enforcement or reporting.<\/p>\n\n\n\n If you do not have DMARC set up yet, read this guide on what happens when you have no DMARC record found<\/u><\/a> on your domain.<\/p>\n\n\n\n Here is a side-by-side breakdown of what each protocol does:<\/p>\n\n\n\nHow Does SPF Authentication Work?<\/h2>\n\n\n\n
\n
SPF Results Explained (Pass, Fail, SoftFail, Neutral, None)<\/h3>\n\n\n\n
\n
SPF Record Syntax: Breaking Down Each Component<\/h2>\n\n\n\n
\n
\n
Real-World SPF Record Examples<\/h3>\n\n\n\n
How to Create an SPF Record for Your Domain<\/h2>\n\n\n\n
\n
How to Check If You Already Have an SPF Record<\/h3>\n\n\n\n
\n
The 10 DNS Lookup Limit: Why SPF Records Break<\/h2>\n\n\n\n
\n
\n
How to Reduce DNS Lookups in Your SPF Record<\/h3>\n\n\n\n
\n
Common SPF Record Mistakes (And How to Fix Them)<\/h2>\n\n\n\n
1. Creating multiple SPF records<\/h3>\n\n\n\n
2. Using +all<\/h3>\n\n\n\n
3. Forgetting to include all sending services<\/h3>\n\n\n\n
4. Exceeding the 10-lookup limit<\/h3>\n\n\n\n
5. Not updating SPF when switching tools<\/h3>\n\n\n\n
6. Adding SPF to the wrong domain<\/h3>\n\n\n\n
7. Expecting SPF to authenticate the “From” address<\/h3>\n\n\n\n
SPF Alone Isn’t Enough: How It Works with DKIM and DMARC<\/h2>\n\n\n\n
\n
\n
SPF vs DKIM vs DMARC: Quick Comparison<\/h3>\n\n\n\n