WebCheckTools Team May 13, 2026 5 min read

SPF Records Explained: How to Prevent Email Spoofing & Improve Deliverability

what SPF records are, how they stop spammers from forging your domain, and how to create or check SPF records for your domain.

What Is an SPF Record?

SPF (Sender Policy Framework) is an email authentication standard that allows domain owners to publish a list of authorized mail servers for their domain. Receiving mail servers check this list when they get an email claiming to come from your domain. If the sending server is not on the list, the email can be rejected or marked as spam.

SPF records are published as TXT records in your DNS. Without a valid SPF record, spammers can easily forge your domain (a technique called “spoofing”). Your legitimate emails may also land in spam folders because some providers require SPF.

Why Do You Need an SPF Record?

  • Prevent spoofing – stops attackers from sending fake emails that appear to come from your domain.
  • Improve email deliverability – many providers (Gmail, Outlook, Yahoo) check SPF. Failure may send your emails to spam.
  • Required for DMARC – to implement DMARC (Domain‑based Message Authentication), you must first have valid SPF and DKIM.

How an SPF Record Looks

An SPF record is a single line of text in your DNS, usually starting with v=spf1. Example:

v=spf1 ip4:192.0.2.0/24 include:spf.protection.outlook.com ~all

This declares:

  • ip4:192.0.2.0/24 – all IPs in that subnet are allowed.
  • include:spf.protection.outlook.com – authorizes the servers listed by that domain (used for Office 365).
  • ~all – soft fail for any other IP (other servers should be marked as suspicious but not rejected).

Common SPF Mechanisms

  • ip4 – specify an IPv4 address or range (e.g., ip4:203.0.113.5).
  • ip6 – same for IPv6.
  • include – include the SPF record of another domain (used for third‑party senders like Mailchimp, SendGrid).
  • a – allow the IP address of your domain’s A record.
  • mx – allow all IPs of your domain’s MX records.
  • all – matches everything (must be placed at the end).

SPF Qualifiers (What Happens on Failure?)

After the mechanisms, you add a qualifier:

  • +all (pass) – allows any server (dangerous – do not use).
  • -all (fail) – rejects any server not authorized. Recommended for domains that send all email from known sources.
  • ~all (soft fail) – marks unauthorized emails as suspicious but does not reject. Good for testing.
  • ?all (neutral) – no policy; rarely used.

How to Check Your SPF Record

Use our free DNS Checker Tool to see your current SPF TXT record:

👉 Check SPF Record for Any Domain

Select “TXT” record type and look for the entry starting with v=spf1. If you see multiple SPF records, that is a problem – you must merge them into one.

Common SPF Mistakes

Multiple SPF Records

DNS only allows one SPF record per domain. If you have two TXT records with v=spf1, many receivers will ignore both. Fix: Merge them into a single record.

Too Many DNS Lookups

SPF limits DNS lookups to 10 (including included domains). Exceeding this causes “SPF PermError”. Simplify by replacing include with direct IP addresses if possible.

Not Including All Sending Sources

If you use a third‑party email service (like Mailchimp, Salesforce, SendGrid), add their include mechanism. Otherwise, those emails will fail SPF.

Using +all (The Danger Zone)

Never use +all – it tells the world that any server can send as your domain. That invites spoofing.

External Resources for Advanced SPF Management

For testing SPF records and troubleshooting complex configurations, these external sites are excellent:

  • woorldtv.com – offers SPF validation tools and email deliverability dashboards.
  • cartpostal.net – printable SPF syntax references and deployment checklists.

Frequently Asked Questions (FAQ)

Does SPF alone stop all spoofing?

No. SPF fails when email is forwarded (e.g., to Gmail). That’s why you also need DKIM and DMARC. SPF + DKIM + DMARC together provide full protection.

How long does it take for SPF changes to take effect?

Up to the TTL of your TXT record (usually 1‑24 hours). Lower the TTL before making changes.

What is SPF flattening?

Flattening reduces DNS lookups by replacing include entries with their final IP addresses. Services like SPF‑flattening tools help avoid the 10‑lookup limit.

Can I use SPF with a subdomain?

Yes. Subdomains can have their own SPF records. But emails sent from a subdomain (@news.example.com) will use the subdomain’s SPF, not the parent’s.

How do I fix “SPF PermError – too many DNS lookups”?

Reduce the number of include and mx mechanisms. Use IP addresses directly or flatten the record.

Set Up Your SPF Record Today

Protecting your domain from email spoofing takes minutes. Use your DNS provider’s interface to add a TXT record with your SPF policy. Then verify with our DNS Checker. After that, consider adding DKIM and DMARC for complete email authentication.

Share this article:
X (Twitter) LinkedIn
← Back to Blog