SPF setup guide
SPF lets domain owners declare which hosts are allowed to send mail for a domain used in the return path. It is simple in principle, but easy to break when too many third-party services get added over time.
What SPF does
SPF checks whether the connecting mail server is authorised by the SPF record of the domain used in the envelope sender or return path. It is not checked against the visible From address directly.
A basic SPF record
A typical record looks like v=spf1 ip4:203.0.113.10 include:spf.example-provider.com -all. The mechanism list is read from left to right. The qualifier at the end tells receivers what to do with unauthorised sources.
| Qualifier | Meaning |
|---|---|
-all | Hard fail for anything not matched earlier. |
~all | Soft fail, often used during transition. |
?all | Neutral, rarely useful in mature setups. |
SPF lookup limit
SPF processing is limited to ten DNS lookups across mechanisms such as include, a, mx, exists and redirect. Hitting that limit can cause SPF permerror and invalidate the record entirely.
SPF best practice
- Keep the record short and intentional.
- List only systems that truly send mail.
- Prefer explicit IPs where practical.
- Remove old providers when they are no longer used.
- Do not publish multiple SPF TXT records for the same hostname.