SPF record guide

Sender Policy Framework tells receiving mail servers which IPs and services are allowed to send email for your domain.

SPF is a DNS TXT record at your domain (or subdomain used for the envelope sender) that lists authorized mail sources. When a message arrives, receivers can check whether the sending IP matches your policy.

Why SPF matters

Without SPF (or with a broken one), it is easier for others to forge mail that appears to come from your domain. Major providers use SPF as one signal when deciding inbox vs spam vs reject.

One SPF record per hostname

You should have only one SPF TXT record for a given domain or subdomain. If you add multiple SPF TXT records, validation fails. Merge includes and mechanisms into a single record.

The 10 DNS lookup limit

SPF evaluation allows at most 10 DNS lookups for mechanisms like include:, a, mx, and redirect. Exceeding this causes SPF to fail or return “permerror,” which hurts deliverability. If you are close to the limit, flatten includes or remove unused vendors.

Common mistakes

Multiple SPF TXT records on the same host
Using +all or neutral policies that do not actually restrict senders
Forgetting to add a new ESP or transactional provider after switching tools
Nested include: chains that blow past the lookup limit

All mechanism

The all mechanism defines the default for everything not matched above. -all is strict (fail unknown senders), ~all is a soft fail (often used while testing), and ?all is neutral. Align your policy with DMARC once you are confident.

Try the SPF flattener tool or run a full deliverability check on your domain.