SPF stands for Sender Policy Framework. It is a DNS record that answers one question: which servers are allowed to send email claiming to be from this domain? When a receiving mail server gets a message, it looks up the SPF record for the domain in the envelope sender (Return-Path) and checks whether the sending IP is on the authorized list.
SPF is one of three pillars of email authentication — alongside DKIM and DMARC. On its own, SPF reduces spoofing of the envelope sender. Combined with DMARC, it contributes to protection of the visible From: address that recipients see.
How SPF works
When a message arrives at a receiving mail server, the server extracts the domain from the Return-Path (envelope sender) and performs a DNS TXT lookup for that domain. The SPF record is a space-separated list of mechanisms: ip4:, ip6:, include:, a:, mx:, and others. The server evaluates each mechanism left to right until one matches the sending IP.
If a match is found with the + qualifier (the default), the result is Pass. If the all mechanism is reached with -all (hard fail), the result is Fail. The receiving server then decides what to do — most apply the DMARC policy rather than acting on the raw SPF result alone.
The 10-lookup limit
RFC 7208 limits SPF evaluation to 10 DNS lookups. Every include:, a:, mx:, exists:, and redirect= mechanism counts as a lookup. ip4: and ip6: mechanisms do not — they are direct IP comparisons. Exceeding 10 lookups causes a PermError, which most receiving servers treat as a Fail.
The 10-lookup limit is the most common SPF misconfiguration. It typically happens after adding several marketing, CRM, and transactional email senders over time. Each vendor adds an include: for their sending infrastructure, and the total quietly exceeds the limit silently — the record still resolves, but every receiver returns PermError instead of Pass.
SPF flattening
SPF flattening replaces include: mechanisms with the resolved IP ranges they point to, turning DNS lookups into static ip4: and ip6: entries. This brings lookup count to zero (or close to it). The tradeoff is that when a vendor rotates their IP ranges your SPF record goes stale and starts failing — so flattening requires either a monitoring service or a periodic refresh.
Some DNS providers offer dynamic SPF flattening as a feature — they maintain the resolved record and update it when upstream IP ranges change. If your domain uses a provider that supports this, it is usually worth enabling for high-volume sending domains.
Frequently asked questions
01Does SPF alone stop email spoofing?
SPF alone authenticates the envelope sender (Return-Path), not the visible From: address. An attacker can pass SPF on the envelope domain while displaying a spoofed From: address to the recipient. DMARC is required to tie SPF authentication to the From: header — that is why SPF, DKIM, and DMARC are always discussed together.
02What is SPF softfail (~all) vs. hardfail (-all)?
~all (tilde) is a softfail — the message is accepted but marked as suspicious. -all (minus) is a hardfail — the message should be rejected. Most security guidance recommends -all once you are confident your SPF record covers all legitimate senders. ~all is appropriate during testing or when you are unsure whether all your mail streams are included.
03Can I have multiple SPF records for one domain?
No. RFC 7208 states that a domain must not have more than one SPF record. If a DNS lookup returns multiple TXT records that begin with v=spf1, the result is a PermError. Merge all your mechanisms into a single record.
04How do I add multiple email senders to SPF without exceeding 10 lookups?
Include all senders in a single SPF record, then count the lookups with a tool like the MailerMonk SPF checker. If you are near the limit, consider SPF flattening for the highest-lookup includes (SendGrid, Mailchimp, and HubSpot each consume 2–4 lookups of their own).
Run a free deliverability audit on your sending domain.
MailerMonk checks DMARC alignment, SPF lookups, DKIM keys, MX records, and major blocklists in under a minute. No signup, no card.