SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high DNS

SPF Record

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. Without it, anyone in the world can send emails that appear to come from your domain — a technique used in phishing attacks every day.

What SecurityStatus Checks

  • Whether an SPF TXT record exists for your domain
  • SPF syntax validity — malformed records silently fail
  • Whether all your legitimate sending services are listed (including third-party tools like Mailchimp, SendGrid, Google Workspace)
  • DNS lookup count — SPF has a hard limit of 10 DNS lookups; exceeding it causes failures
  • Whether the SPF policy ends with ~all (soft fail) or -all (hard fail)

Why This Matters

Domains without SPF are trivial to spoof. Attackers use your domain to send phishing emails to your customers, partners, and employees. Even with SPF, a misconfigured record can silently fail and allow spoofing to slip through. SPF failures also cause legitimate emails to land in spam.

How to Fix It

  1. 1

    Create your SPF record

    Add a TXT record to your DNS: `v=spf1 include:_spf.google.com include:sendgrid.net ~all`. Replace the includes with your actual mail providers. The `~all` at the end marks anything else as a soft fail.

  2. 2

    List all your sending services

    Check every service that sends email on your behalf: your mail server, CRM, marketing platform, support system, transactional email service. Each one needs to be included in SPF.

  3. 3

    Stay under 10 DNS lookups

    Each `include:` directive counts as a DNS lookup. If you exceed 10, SPF permanently fails. Use SPF flattening tools (like AutoSPF) to collapse nested lookups into direct IP ranges.

  4. 4

    Switch from ~all to -all

    Once you are confident your SPF record is complete, change `~all` to `-all`. This tells receiving servers to reject (not just flag) mail that fails SPF, providing stronger protection.

  5. 5

    Verify with a tool

    Use MXToolbox (mxtoolbox.com/spf.aspx) to validate your SPF record syntax and lookup count. Test by sending an email to mail-tester.com and checking the SPF result.

Frequently Asked Questions

What does ~all vs -all mean?
~all (soft fail) marks non-matching email as suspicious but usually still delivers it. -all (hard fail) tells receivers to reject non-matching email outright. Start with ~all and move to -all once you know your record is complete.
Can I have multiple SPF records?
No. You can only have one SPF TXT record per domain. Multiple SPF records cause a permanent SPF failure. If you need to include multiple services, combine them into a single record.
Does SPF alone stop email spoofing?
SPF alone is not enough. Attackers can still spoof the visible 'From' header because SPF only checks the envelope sender. You need DMARC (which aligns SPF with the From header) for complete protection.
What if SPF breaks my legitimate emails?
Use ~all (soft fail) during testing so emails still get through. Then check your mail server logs for SPF failures, identify the missing senders, add them to the record, and switch to -all when ready.

Related Guides

high DMARC Record Read Guide medium DKIM Record Read Guide critical Email Spoofing Risk Read Guide

Check Your Domain Now

Run all 38 security checks including SPF Record and get your domain's security grade in under 2 minutes.

Scan Your Domain Free