3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

SPF

A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a domain.

Definition

SPF (Sender Policy Framework) is the original email authentication protocol, standardised as RFC 7208 in 2014. An SPF record is a single TXT record published in DNS at the apex of a domain that declares which IP addresses and which third-party services are authorised to send email on behalf of that domain. When a receiver gets a message, it queries the SPF record of the envelope-sender domain (the MAIL FROM address — not the visible From: header) and checks whether the connecting IP is authorised. SPF only validates the path the mail took, not the message itself.

How it works

SPF records are syntax-driven. They begin with v=spf1 and chain mechanisms separated by spaces. Common mechanisms include ip4: and ip6: (specific IPs or ranges), a (the A record of the sending domain), mx (the MX records of the sending domain), and most importantly include: (delegate to another domain's SPF record — the way ESPs publish their authorised infrastructure). A qualifier on the final mechanism — usually ~all (softfail) or -all (fail) — declares what to do with mail from any IP not matched by the preceding mechanisms.

SPF has a critical operational limit: each include:, a, mx, exists, and redirect= mechanism that triggers a DNS lookup counts toward an aggregate cap of 10 per evaluation. Once a record exceeds 10 lookups, receivers return permerror and SPF fails entirely. This limit is the single most common source of SPF problems in production — every additional ESP added to a domain pushes the record closer to the ceiling.

Example

A domain that sends through Google Workspace, SendGrid, and a self-hosted relay:

example.com. TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 ~all"

This record authorises Google's sending infrastructure (delegated via the include), SendGrid's sending infrastructure, the specific IP 203.0.113.5, and softfails everything else. Each include resolves the target domain's own SPF record and counts those nested lookups toward the 10-lookup cap.

Related Terms

DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... DKIM A cryptographic signature attached to outbound email that proves the message was authorise... DMARC Alignment The check that requires the SPF or DKIM domain to match the visible From header domain in...

Try the tool

DMARC Busta has a free tool that helps with this concept directly.

Open tool

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial