SPF FAQs (Frequently Asked Questions)


What is SPF?

Sender Policy Framework (SPF) is an email authentication mechanism which alllows only authorized senders to send on behalf of a domain, and prevents unauthorized users from doing so. SPF allows the receiver to check that an email claiming to come from a specific domain indeed comes from an IP address authorized by that domain's administrators.

Why use SPF?

SPF enables you to use various mechanisms and modifiers to define a whitelist of IP addresses allowed to send email messages on behalf of your domain. Emails from anywhere else will be marked as "failed to pass SPF check". This way, you have control over who can send emails on behalf of you.

Can I have multiple SPF records on a single domain?

No, you must not. Having multiple SPF records on a single domain will cause SPF to return PermError for all emails sent from that domain.

Refer to Can I Have Multiple SPF Records on My Domain? for more information.

How do I set up SPF?

In order to set up SPF, you need to publish an SPF record specifying the whitelist of IP addresses for that domain in the DNS.

Here are some tutorials on doing so:

How to test my SPF record on a domain?

To test if you have published an SPF record correctly on a domain, use our free SPF record checker.

It will tell you if an SPF record exists, if it's syntactically valid, has DNS lookups <= 10, etc.

What is the SPF 10 DNS lookup limit?

To mitigate potential denial of service attacks, SPF requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier. Otherwise, an SPF PermError, more specifically "SPF PermError: too many DNS lookups", is returned.

Learn more in When SPF Record Exceeds 10-DNS-Lookup Limit.

If my SPF record has more than 10 DNS lookups, will my emails go to spam?

Your emails are more likely to go to spam if your SPF record has more than 10 DNS lookups. When your email hits the receiving server, SPF returns an PermError because the limit is exceeded, and the email fails the SPF check. Messages that fail email authentication (SPF, DKIM or DMARC) are more likely to go to spam than messages that pass.

Therefore, you are strongly advised against keeping an SPF record with 10+ DNS lookups. If you have many services in your SPF record, you can use DMARCLY's Safe SPF feature to fix it.

How can I check how many DNS lookups my SPF record has?

You can use our free SPF record checker.

How does SPF work with subdomains?

When an email is sent on behalf on a subdomain, the receiving server only checks for the SPF record on that subdomain. Unlike DMARC's policy discovery, SPF doesn't use the root domain's SPF record for the subdomain.

Refer to How SPF Works With Subdomains.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account