SPF Record — Email Sender Authentication

Q: What is a TXT record in DNS?

## What Is an SPF Record? SPF (Sender Policy Framework) is an email authentication mechanism published as a DNS TXT record. It specifies which mail servers are authorized to send email on behalf of your domain, helping receiving servers detect forged sender addresses. ### BIND Zone File Syntax dns ; Basic SPF for Google Workspace example.com. 3600 IN TXT "v=spf1 include:_spf.google.com ~all" ; SPF for Microsoft 365 example.com. 3600 IN TXT "v=spf1 include:spf.protecti

Learn how to create SPF (Sender Policy Framework) TXT records to authorize email senders for your domain. Understand mechanisms, qualifiers, and lookup limits.

TXTSecurity

Zone File Entry

example.com.    IN    TXT    "v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:203.0.113.0/24 -all"

Detailed Explanation

What Is an SPF Record?

SPF (Sender Policy Framework) is an email authentication mechanism published as a DNS TXT record. It specifies which mail servers are authorized to send email on behalf of your domain, helping receiving servers detect forged sender addresses.

BIND Zone File Syntax

; Basic SPF for Google Workspace
example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com ~all"

; SPF for Microsoft 365
example.com.    3600    IN    TXT    "v=spf1 include:spf.protection.outlook.com -all"

; Complex SPF with multiple senders
example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.50 -all"

SPF Mechanisms

SPF records use a series of mechanisms to define authorized senders:

Mechanism	Description
`ip4:x.x.x.x`	Authorize a specific IPv4 address or range
`ip6:xxxx::xxxx`	Authorize a specific IPv6 address or range
`include:domain`	Include another domain's SPF record
`a`	Authorize the domain's own A record IPs
`mx`	Authorize the domain's MX record IPs
`all`	Match everything (used as the final catch-all)

Qualifiers

Each mechanism can be prefixed with a qualifier:

+ (Pass, default) — Authorize the sender
- (Fail) — Reject unauthorized senders (hard fail)
~ (SoftFail) — Accept but mark as suspicious
? (Neutral) — No policy statement

The -all at the end means "reject everything not explicitly authorized," which is the strictest and most secure setting.

The 10-Lookup Limit

SPF has a critical limitation: a maximum of 10 DNS lookups during evaluation. Each include:, a, mx, and redirect mechanism counts as one lookup. Nested includes within included domains also count toward this limit.

Exceeding the limit causes a PermError, and some receivers will treat this as a failure. To stay within the limit:

Use ip4: and ip6: instead of a or mx where possible
Consolidate senders and remove unused include: entries
Use SPF flattening tools if you have many third-party senders

Best Practices

Start with ~all (SoftFail) and monitor, then switch to -all once you confirm all legitimate senders are listed
Only one SPF record per domain — multiple SPF records cause evaluation failures
Combine all mechanisms into a single TXT record
Regularly audit which services send email on your behalf

Use Case

Add an SPF record to authorize your email sending services (Google Workspace, Microsoft 365, transactional email providers) and prevent unauthorized senders from spoofing your domain.

Try It — DNS Record Generator

Open full tool →