Last week we established that email providers grade your messages before delivering them. This week we're starting with the most fundamental authentication record: SPF.

This Week’s Lesson

SPF stands for Sender Policy Framework. In plain English, it's a DNS record that lists which mail servers are authorized to send email on behalf of your domain.

Here's how it works: When Gmail receives an email claiming to be from you@yourcompany.com, it asks: 'Does the server that sent this email appear on yourcompany.com's authorized list?' If yes, SPF passes. If no, SPF fails — and that's a major red flag to spam filters.

An SPF record lives in your domain's DNS as a TXT record and looks something like this: v=spf1 include:_spf.google.com include:mailchimp.com ~all
Breaking that down: v=spf1 identifies this as an SPF record. include: adds authorized sending services (like Google Workspace, Outlook, or your CRM). ~all means 'if it doesn't match, treat it with suspicion.'

Common mistakes: having no SPF record at all, using multiple SPF records instead of one, or listing too many senders (hitting the 10 DNS lookup limit).

If your domain has no SPF record, any server in the world can send email pretending to be you — and many spam filters will pass those forgeries right through.