Where do I publish an SPF record?

Publish SPF as a TXT record at the domain name used in the envelope sender. For most domains, that is the apex, such as example.com. Some mail streams use subdomains like bounce.example.com, which need their own SPF records.

Can I have two SPF records?

No. You can have multiple TXT records at the same name, but only one TXT record that starts with v=spf1. Two SPF records cause a permanent SPF error and can break mail delivery.

-all is a hard fail. It says mail from sources not matched earlier in the SPF record is unauthorized. Use ~all while testing, then move to -all when all legitimate senders are covered.

Why does SPF fail with too many DNS lookups?

SPF evaluation is limited to 10 DNS lookups. include, a, mx, ptr, exists, and redirect can count. Large SaaS include chains often exceed the limit. Remove unused senders, flatten carefully, or split mail streams by subdomain.

Does SPF stop visible From spoofing?

Not by itself. SPF validates the envelope sender. DMARC is what checks alignment between SPF or DKIM and the visible From domain. SPF should always be paired with DKIM and DMARC.

SPF Record Explained - Syntax, Examples, and Common Mistakes

Learn how SPF records authorize mail senders, how SPF syntax works, how to avoid the 10-DNS-lookup limit, and how to validate SPF with dig.

Updated 5 May 2026

TL;DR

An SPF record is a DNS TXT record that lists which servers may send email for your domain. It starts with v=spf1 and ends with an all mechanism such as ~all or -all. SPF is checked against the SMTP envelope sender, not always the visible From header, so SPF alone does not stop spoofing. Use one SPF record per name, stay under 10 DNS lookups, include every legitimate sender, and pair SPF with DKIM and DMARC.

What you'll learn

Understand what SPF validates and what it does not validate
Build a correct SPF TXT record
Avoid duplicate SPF records and lookup-limit failures
Validate SPF records with command-line tools

SPF (Sender Policy Framework) is a DNS-based email authentication mechanism. It tells receiving mail servers which IP addresses or services are allowed to send mail for your domain.

SPF is published as a TXT record. It is one part of the full email-authentication stack alongside DKIM and DMARC.

What SPF Checks

SPF checks the SMTP envelope sender, also called the return-path or bounce domain. That is not always the same as the visible From: header that users see in their mail client.

This distinction matters:

SPF can prove that a mail server is authorized for the envelope domain.
SPF alone cannot prove that the visible From domain is legitimate.
DMARC adds alignment between SPF/DKIM and the visible From domain.

SPF Syntax

A basic SPF record:

example.com.  3600  IN  TXT  "v=spf1 include:_spf.google.com -all"

Parts:

Part	Meaning
`v=spf1`	SPF version marker. Must come first.
`include:_spf.google.com`	Authorize senders listed by another domain.
`ip4:203.0.113.10`	Authorize an IPv4 address or range.
`ip6:2001:db8::/32`	Authorize an IPv6 range.
`mx`	Authorize hosts listed in MX records.
`a`	Authorize IPs in A/AAAA records.
`~all`	Soft fail unmatched senders.
`-all`	Hard fail unmatched senders.

Common Examples

Google Workspace:

v=spf1 include:_spf.google.com ~all

Microsoft 365:

v=spf1 include:spf.protection.outlook.com ~all

Google Workspace plus a transactional provider:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Custom outbound server:

v=spf1 ip4:203.0.113.10 mx -all

Qualifiers

Qualifier	Result	Use
`+`	Pass	Rarely written because pass is default.
`~`	Soft fail	Good during rollout.
`-`	Hard fail	Good once all senders are known.
`?`	Neutral	Avoid for production policy.

Never publish +all. It allows every sender and defeats SPF.

The 10-Lookup Limit

SPF evaluation permits at most 10 DNS lookups. These mechanisms can count:

include
a
mx
ptr
exists
redirect

If you include several SaaS providers, each provider may include more domains behind the scenes. The result is an SPF PermError.

Fixes:

Remove senders you no longer use.
Use subdomains for separate mail streams.
Prefer explicit ip4/ip6 ranges for stable infrastructure.
Flatten only if you have a process to keep ranges updated.

DNScale Setup

Create one TXT record at the apex:

curl -X POST "https://api.dnscale.eu/v1/zones/{zone_id}/records" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "@",
    "type": "TXT",
    "content": "v=spf1 include:_spf.google.com -all",
    "ttl": 3600
  }'

Validation

dig TXT example.com +short | grep 'v=spf1'

You should see exactly one SPF record.

Check a subdomain if your mail provider uses one:

dig TXT bounce.example.com +short

Frequently asked questions

Where do I publish an SPF record?: Publish SPF as a TXT record at the domain name used in the envelope sender. For most domains, that is the apex, such as example.com. Some mail streams use subdomains like bounce.example.com, which need their own SPF records.
Can I have two SPF records?: No. You can have multiple TXT records at the same name, but only one TXT record that starts with v=spf1. Two SPF records cause a permanent SPF error and can break mail delivery.
What does -all mean?: -all is a hard fail. It says mail from sources not matched earlier in the SPF record is unauthorized. Use ~all while testing, then move to -all when all legitimate senders are covered.
Why does SPF fail with too many DNS lookups?: SPF evaluation is limited to 10 DNS lookups. include, a, mx, ptr, exists, and redirect can count. Large SaaS include chains often exceed the limit. Remove unused senders, flatten carefully, or split mail streams by subdomain.
Does SPF stop visible From spoofing?: Not by itself. SPF validates the envelope sender. DMARC is what checks alignment between SPF or DKIM and the visible From domain. SPF should always be paired with DKIM and DMARC.

Ready to manage your DNS with confidence?

DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

Start free