SPF

SPF is a DNS record that lists every server allowed to send mail for your domain — so receiving servers can reject anyone else who tries.

What it is

SPF is defined in RFC 7208. It is a single TXT record at the root of your domain that names every IP block or hosted service authorized to put mail into the world on your behalf. When a receiving server gets a message claiming to be from you, it looks at the IP that actually delivered it, then looks up your SPF record. If the IP is not in the list, the message fails SPF and most receivers will treat that as a strong signal of spoofing.

How it works

An SPF record is a space-separated list of mechanisms. Each mechanism either authorizes a source — ip4:, ip6:, a:, mx:, include: — or sets the default for everything else with all. The leading qualifier on the final mechanism is what decides how strict you are: -all means hard-fail anything else, ~all means soft-fail.

SPF has a hard limit you cannot ignore: a single lookup must resolve to no more than ten DNS queries. Every include: counts. Stack up SendGrid, Mailgun, HubSpot, and Salesforce on the same domain and you will silently exceed the limit, at which point your SPF is treated as a permanent error and effectively absent.

Why it matters

SPF alone is not enough. It does nothing about message integrity, it breaks when mail is forwarded, and it authenticates the envelope sender rather than the visible From address. But it is the cheapest and oldest layer of authentication, and DMARC explicitly leans on it. A passing, aligned SPF result is one of the two ways your domain can satisfy DMARC — the other being DKIM.

Set SPF wrong and your perfectly written cold campaign hits the spam folder before content classifiers even read the body. Set it right and you have done the easiest 30 minutes of deliverability work available.

Related

• DKIM — the cryptographic counterpart
• DMARC — the policy enforced over SPF and DKIM
• Sender reputation
• Cold email deliverability checklist
• See how NeverSpam works