Authenticate which mail servers are authorised to send email on behalf of your domain.
⚡ Monitored by EmailExacto IntelligenceSPF (Sender Policy Framework) is a DNS-based email authentication standard that lets domain owners publish a list of IP addresses and mail servers authorised to send email from their domain. When a receiving mail server gets a message claiming to be from your domain, it queries DNS for your SPF record to verify the sending server is approved.
SPF is defined in RFC 7208 and is one of three core email authentication standards alongside DKIM and DMARC.
An SPF record is a DNS TXT record published at your root domain. It specifies permitted senders using mechanisms:
Key mechanisms: ip4/ip6 allows specific IPs, include: delegates to another domain's record, a allows your A-record IPs, mx allows your MX IPs. The trailing qualifier: -all (hard fail), ~all (soft fail). SPF has a hard limit of 10 DNS lookups — exceeding it causes a PermError that receivers treat as a failure.
Without SPF, anyone can send email pretending to be from your domain. SPF is a prerequisite for DMARC alignment. Gmail, Yahoo, and Microsoft all evaluate SPF as a primary filtering signal. A broken SPF record — too many lookups, syntax errors, missing sending sources — silently causes legitimate email to land in spam.
EmailExacto Intelligence monitors your SPF record daily and alerts you the moment it changes or breaks.
✓Use -all (hard fail) when you have full visibility of your sending sources.
✓Stay under 10 DNS lookups — use SPF flattening when sending through multiple ESPs.
✓Audit SPF any time you add or remove a sending service.
✓Never publish more than one SPF TXT record for a domain — merge them into one.
✓Include all senders: ESP, transactional provider, CRM, and internal servers.
✓Test your SPF record after every change before sending.
Expert-written training delivered to your inbox every Tuesday. No spam. Unsubscribe anytime.
Join thousands of senders building better email habits.