SPF FAQs (Frequently Asked Questions)
What is SPF?
Sender Policy Framework (SPF) is an email authentication mechanism which allows only authorized senders to send on behalf of a domain, and prevents unauthorized users from doing so. SPF allows the receiver to check that an email claiming to come from a specific domain indeed comes from an IP address authorized by that domain's administrators.
Why use SPF?
SPF enables you to use various mechanisms and modifiers to define a whitelist of IP addresses allowed to send email messages on behalf of your domain. Emails from anywhere else will be marked as "failed to pass SPF check". This way, you have control over who can send emails on behalf of you.
Can I have multiple SPF records on a single domain?
No, you must not. Having multiple SPF records on a single domain will cause SPF to return PermError for all emails sent from that domain.
Refer to Can I Have Multiple SPF Records on My Domain? for more information.
How do I set up SPF?
In order to set up SPF, you need to publish an SPF record specifying the whitelist of IP addresses for that domain in the DNS.
Here are some tutorials on doing so:
- How to Add SPF Record in GoDaddy
- How to Add SPF Record in Cloudflare
- How to Add SPF Record in Namecheap
- How to Add SPF Record in Bluehost
How to check/test my SPF record on a domain?
To check/test if you have published an SPF record correctly on a domain, use our free SPF record checker.
It will tell you if an SPF record exists, if it's syntactically valid, has DNS lookups <= 10, etc.
What is the SPF 10 DNS lookup limit?
To mitigate potential denial of service attacks, SPF requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. Otherwise, an SPF PermError, more specifically "SPF PermError: too many DNS lookups", is returned.
Learn more in When SPF Record Exceeds 10-DNS-Lookup Limit.
If my SPF record has more than 10 DNS lookups, will my emails go to spam?
Your emails are more likely to go to spam if your SPF record has more than 10 DNS lookups. When your email hits the receiving server, SPF returns an PermError because the limit is exceeded, and the email fails the SPF check. Messages that fail email authentication (SPF, DKIM or DMARC) are more likely to go to spam than messages that pass.
Therefore, you are strongly advised against keeping an SPF record with 10+ DNS lookups. If you have many services in your SPF record, you can use DMARCLY's Safe SPF feature to fix it.
How can I check how many DNS lookups my SPF record has?
To find out the DNS lookup count on an SPF record, you can use our free SPF record checker.
For example, this SPF record check reveals that microsoft.com has 10 DNS lookups:
How do I fix SPF too many DNS lookups?
Since an SPF record with 10+ DNS lookups causes SPF to return a PermError, which in turn has a negative impact on email deliverability, using a tool like DMARCLY's Safe SPF to automatically/dynamically flatten your SPF record is advised.
Safe SPF takes your original SPF record and automatically/dynamically flattens it, so that the flattened SPF record (AKA Safe SPF record) contains fewer than or equal to 10 DNS lookups. This way, your Safe SPF record won't trigger the PermError mentioned above.
Learn more: How to fix SPF PermError: too many DNS lookups.
What is automatic/dynamic SPF record flattening?
Automatic/dynamic SPF record flattening is a process in Safe SPF that flattens SPF records with 10+ DNS lookups in the background, automatically and periodically.
This process traverses the entire hierarchy in your original SPF record including all 3rd-party services, converts the DNS lookup-consuming mechanisms into plain IP addresses wherever possible, then updates the Safe SPF record in the DNS with these IP addresses.
Since the process is recursive, any change in the 3rd-party services will make it to the final Safe SPF record.
How does SPF work with subdomains?
When an email is sent on behalf on a subdomain, the receiving server only checks for the SPF record on that subdomain. Unlike DMARC's policy discovery, SPF doesn't use the organizational domain's SPF record for the subdomain.
Refer to How SPF Works With Subdomains.
Protect Business Email & Improve Email Deliverability
Get a 14 day trial. No credit card required.
Create Account