Select theme:
An SPF Record is a DNS record that identifies which mail servers are authorized to send email on behalf of your domain. Think of it as a VIP Guest List for your email: when an email arrives, the receiving server (like Gmail) checks your DNS to see if the sender's IP address is on the approved list.
| Mechanism | What it does | Example |
|---|---|---|
| v=spf1 | Identifies the record as SPF version 1. | Mandatory start |
| ip4 / ip6 | Authorizes a specific static IP address. | ip4:1.2.3.4 |
| include | Authorizes a third-party service (like Gmail). | include:_spf.google.com |
| -all | Hard Fail: Reject any mail not on this list. | The secure standard |
| ~all | Soft Fail: Accept but mark as "suspicious" if not on list. | Common for testing |
This is the most common SPF error. To prevent Denial of Service (DoS) attacks, DNS specifications limit the number of "lookups" a server has to perform to 10. Every include, a, mx, or redirect mechanism counts as one. If you exceed 10, your SPF will fail, and your emails may go to spam.
No. Having multiple SPF records on a single domain is a critical configuration error. If you need to authorize multiple services (like Microsoft 365 and Mailchimp), you must merge them into a single v=spf1 record.
-all (Dash) is a "Hard Fail," telling servers to drop any unauthorized mail. ~all (Tilde) is a "Soft Fail," telling servers to let the mail through but flag it as potentially unauthorized. Most security experts recommend moving toward -all.
Try UptimeObserver today. Setup in 2 minutes.