{"slug": "spf-record-syntax-explained-a-practical-guide-for-developers", "title": "SPF record syntax explained: a practical guide for developers", "summary": "An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which servers are authorized to send email on behalf of a domain, using mechanisms like `ip4`, `include`, and `a` to list approved senders. The record must end with an `all` directive (e.g., `~all` for softfail or `-all` for hardfail) and is limited to 10 DNS lookups per evaluation to avoid errors. Common mistakes include having multiple SPF records, forgetting subdomains, or omitting the `all` directive, which can break email authentication.", "body_md": "SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which servers are allowed to send email on behalf of your domain. If a server not on that list sends email claiming to be from your domain, the receiving server can reject or flag it.\nUnderstanding the syntax makes it easier to set it up correctly and avoid common mistakes like accidentally hitting the 10-lookup limit.\nAn SPF record is a TXT record on your domain's DNS. It always starts with:\nv=spf1\nAfter that, you list your authorized senders as mechanisms, then end with an all\ndirective.\nA typical SPF record looks like this:\nv=spf1 include:_spf.google.com include:spf.sendinblue.com ip4:203.0.113.50 ~all\nip4:\nand ip6:\nAuthorizes a specific IP address or CIDR range.\nip4:203.0.113.50\nip4:203.0.113.0/24\nip6:2001:db8::1\nUse this when you know the exact IP of a mail server you control.\ninclude:\nDelegates to another domain's SPF record. Each include:\ncauses one DNS lookup.\ninclude:_spf.google.com\ninclude:sendgrid.net\ninclude:spf.mailchimp.com\nMost third-party email services give you an include:\nvalue to add. Each one authorizes all IPs in that service's SPF record.\na:\nAuthorizes the A record of a domain. If the domain's A record matches the IP the email came from, it passes.\nmx:\nAuthorizes the MX records of a domain. Less common, typically used when your mail server and MX records are the same host.\nptr:\nAvoid this one. It is slow, unreliable, and deprecated in practice.\nall\ndirective\nThe all\nat the end controls what happens to mail from servers not on your list:\n~all\n(softfail) — fail but usually deliver anyway, marking as suspicious-all\n(hardfail) — reject the email+all\n(pass all) — authorizes everything, which defeats the purpose of SPF entirely?all\n(neutral) — no policy, same as having no SPFFor most senders, ~all\nis the safe starting point. Once you are confident your record is complete, switch to -all\nfor stronger protection.\nSPF has a hard limit of 10 DNS lookups per evaluation. Each include:\n, a:\n, mx:\n, and ptr:\ncosts one lookup. Exceed 10 and the SPF check returns permerror\n, which effectively means the record fails.\nThis is a common problem when a domain uses multiple services: Google Workspace plus Mailchimp plus SendGrid plus a CRM can easily push you over the limit.\nTo fix it:\ninclude:\nvalues with the raw IPs they resolve to (but you will need to update this when the provider changes their IPs)InboxGreen's SPF lookup tool shows your current record and flags lookup count issues.\nMultiple SPF records: You can only have one TXT SPF record per domain. A second record breaks SPF validation entirely. Merge them into one.\nWrong domain: SPF needs to match the domain in the From:\nheader for DMARC alignment. If you send from noreply@mail.yourdomain.com\n, the SPF record needs to be on mail.yourdomain.com\n.\nForgetting subdomains: SPF on yourdomain.com\ndoes not cover mail.yourdomain.com\nor info.yourdomain.com\n. Each sending subdomain needs its own record.\nMissing all\n: Every SPF record must end with some form of all\n. Without it, the result is undefined.\nInboxGreen's free checker pulls your SPF record, parses the mechanisms, and runs an authentication check against your domain. No login required.", "url": "https://wpnews.pro/news/spf-record-syntax-explained-a-practical-guide-for-developers", "canonical_source": "https://dev.to/inboxgreen/spf-record-syntax-explained-a-practical-guide-for-developers-1kii", "published_at": "2026-05-23 05:22:40+00:00", "updated_at": "2026-05-23 06:03:48.987895+00:00", "lang": "en", "topics": ["cybersecurity", "developer-tools", "enterprise-software"], "entities": ["Google", "Sendinblue", "SendGrid", "Mailchimp"], "alternates": {"html": "https://wpnews.pro/news/spf-record-syntax-explained-a-practical-guide-for-developers", "markdown": "https://wpnews.pro/news/spf-record-syntax-explained-a-practical-guide-for-developers.md", "text": "https://wpnews.pro/news/spf-record-syntax-explained-a-practical-guide-for-developers.txt", "jsonld": "https://wpnews.pro/news/spf-record-syntax-explained-a-practical-guide-for-developers.jsonld"}}