What does the 10 DNS lookup limit mean?

SPF records are limited to 10 DNS lookups total. Each include, a, mx, and exists mechanism counts as a lookup, and nested includes also count. Exceeding this limit causes SPF to fail with a PermError.

What is the difference between -all and ~all?

-all (hard fail) tells receiving servers to reject emails that fail SPF. ~all (soft fail) tells them to accept but mark as suspicious. Start with ~all while testing, then switch to -all once everything is verified.

How do I add Google Workspace to my SPF record?

Add 'include:_spf.google.com' to your SPF record. A complete record looks like: v=spf1 include:_spf.google.com ~all

SPF Record Email Auth

Q: What is an SPF record?

An SPF record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent email spoofing by allowing receiving servers to verify that incoming mail comes from an authorized source.

The SPF record (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. SPF helps prevent email spoofing by allowing receiving servers to verify that incoming mail comes from an authorized source.

Look Up SPF Records

Check SPF records for any domain using our free DNS lookup tool.

Look Up SPF Records →

What Is an SPF Record?

An SPF record lists all IP addresses and domains that are allowed to send email for your domain. When a receiving mail server gets an email from your domain, it checks the SPF record to verify whether the sending server is authorized.

SPF records are published as TXT records in DNS. While there was once a dedicated SPF record type, it's now deprecated — all SPF data should be in TXT records.

SPF Record Format

An SPF record always starts with a version tag and contains mechanisms and qualifiers:

Basic SPF Record Structure

v=spf1 [mechanisms] [qualifier]all

Example SPF Record

example.com.    3600    IN    TXT    "v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all"

This record authorizes the IP range 192.0.2.0/24 and Google's mail servers to send email for example.com, and rejects all other sources.

SPF Mechanisms

Mechanisms define which sources are authorized to send email:

Mechanism	Description	Example
`ip4`	Match IPv4 address or range	ip4:192.0.2.1 or ip4:192.0.2.0/24
`ip6`	Match IPv6 address or range	ip6:2001:db8::/32
`a`	Match domain's A/AAAA records	a or a:mail.example.com
`mx`	Match domain's MX servers	mx or mx:example.com
`include`	Include another domain's SPF	include:_spf.google.com
`exists`	Check if domain exists	exists:%{i}.spf.example.com
`all`	Match everything (used at end)	-all or ~all

SPF Qualifiers

Qualifiers prefix mechanisms to define the result when matched:

Qualifier	Meaning	Result
`+` (Pass)	Authorized (default if omitted)	Accept the email
`-` (Fail)	Not authorized	Reject the email
`~` (SoftFail)	Probably not authorized	Accept but mark suspicious
`?` (Neutral)	No policy	Treat as if no SPF exists

Common SPF Configurations

1. Google Workspace

v=spf1 include:_spf.google.com ~all

2. Microsoft 365

v=spf1 include:spf.protection.outlook.com -all

3. Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all

4. Own Mail Server + Service

v=spf1 ip4:192.0.2.1 include:_spf.google.com -all

5. No Email (Null SPF)

If your domain doesn't send email:

v=spf1 -all

10 DNS Lookup Limit

SPF records are limited to 10 DNS lookups total. Each include, a, mx, and exists counts as a lookup. Nested includes also count. Exceeding this limit causes SPF to fail (PermError).

SPF Evaluation Order

SPF mechanisms are evaluated left to right. The first match determines the result:

v=spf1 ip4:192.0.2.1 include:_spf.google.com -all

Check if sender IP is 192.0.2.1 → if yes, Pass
Check if sender matches Google's SPF → if yes, Pass
Match -all → Fail

SPF Record Best Practices

Start with ~all (softfail) — While testing, use softfail to avoid rejecting legitimate email. Switch to -all once verified.
Keep it simple — Minimize the number of includes to stay under the 10-lookup limit.
Use only one SPF record — Multiple SPF records cause failures. Combine all policies into one.
Avoid +all — Never use +all as it authorizes everyone to send as your domain.
Monitor SPF results — Use DMARC reports to see who's sending email as your domain.
Flatten when needed — If hitting the 10-lookup limit, replace includes with direct IP ranges.

SPF vs DKIM vs DMARC

Protocol	Verifies	Protects Against
SPF	Sending server IP	Unauthorized servers sending as your domain
DKIM	Email signature	Message tampering and forgery
DMARC	SPF + DKIM alignment	Domain spoofing (ties it all together)

All three should be used together for comprehensive email authentication.

Troubleshooting SPF

Common issues and solutions:

Too many DNS lookups — Flatten your SPF by replacing includes with IP addresses, or use an SPF flattening service.
Multiple SPF records — Combine all SPF data into a single TXT record.
Legitimate email failing — Add the sending service to your SPF record.
PermError — SPF syntax error or lookup limit exceeded. Validate your record.
TempError — DNS timeout. Usually temporary, but check DNS availability.

Check Your SPF Record

Use our DNS Record Finder to look up and validate SPF records for any domain.