SPF Record
SPF records specify which servers can send email for your domain. Learn how they work, what v=spf1 means, and how DMARCeye monitors SPF authentication.
What Is an SPF Record?
An SPF record (Sender Policy Framework record) is a type of DNS TXT record that tells receiving mail servers which IP addresses or hosts are authorized to send email on behalf of a domain.
It’s one of the three core email authentication methods, alongside DKIM and DMARC, and helps prevent spoofing, phishing, and other forms of email impersonation.
Every SPF record starts with the version tag v=spf1, followed by a list of approved senders and a final policy directive.
How SPF Records Work
When an email is received, the recipient’s mail server performs an SPF check: it looks up the domain’s SPF record in DNS and verifies whether the sending IP address is included in that record.
A typical SPF record looks like this:
v=spf1 include:_spf.google.com ip4:192.0.2.0/24 -allHere’s what each part means:
v=spf1— Declares this as an SPF record.include:_spf.google.com— Authorizes Google’s mail servers to send mail.ip4:192.0.2.0/24— Authorizes a specific IP address range.-all— Instructs receiving servers to reject any senders not listed.
Based on the final qualifier (-all, ~all, ?all, or +all), the receiving system decides how to treat unlisted senders: reject, softfail, neutral, or allow.
Managing SPF Effectively
SPF records are simple in concept but easy to misconfigure. Because DNS lookups are limited to ten per SPF evaluation, overly complex records can break authentication or cause mail to fail unexpectedly.
To maintain accuracy:
- Consolidate or simplify includes.
- Use subdomain-specific SPF records for different sending services.
- Test SPF alignment alongside DKIM and DMARC to ensure consistency.
Regular review is critical, especially as new third-party tools are added to your email ecosystem.
SPF Records and DMARCeye
DMARCeye helps you monitor and validate SPF authentication across all your sending sources.
By analyzing DMARC aggregate reports, DMARCeye reveals which IP addresses and domains are passing or failing SPF checks — and whether those senders align with your From Domain under DMARC.
With this visibility, you can clean up old SPF entries, detect unauthorized senders, and confidently enforce stricter DMARC policies without disrupting legitimate mail.
Sign up for a free trial of DMARCeye today and secure your email domain.
To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.