What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists which IP addresses and mail servers are authorized to send email on behalf of your domain. Receiving mail servers check SPF to verify that inbound mail from your domain comes from an authorized source.

What does SPF softfail (~all) vs hardfail (-all) mean?

~all (softfail) means mail from unauthorized sources should be accepted but marked. -all (hardfail) means mail from unauthorized sources should be rejected. Most senders use ~all because -all can cause legitimate mail to be rejected if your SPF record is incomplete. Use -all only when you're confident your SPF record is complete.

What is the SPF 10 DNS lookup limit?

SPF records are limited to 10 DNS lookups during evaluation. Each include:, a, mx, and ptr mechanism triggers a lookup. If your SPF record exceeds 10 lookups, receiving servers may return permerror, causing SPF to fail. Use SPF flattening or remove unnecessary includes to stay within the limit.

Why does my SPF record return permerror?

permerror typically means your SPF record exceeds the 10 DNS lookup limit, has a syntax error, or has nested includes that create circular references. Use an SPF validator to identify the specific issue.

SPF Record Validator — Check Sender Policy Framework Records Free

SPF Record Validator: Check Your Sender Policy Framework Configuration

SPF (Sender Policy Framework) is an email authentication standard that allows domain owners to specify which mail servers are authorized to send email on their behalf. An SPF TXT record in your DNS tells receiving servers: "Only accept mail claiming to be from my domain if it comes from these IPs or servers." This validator checks your SPF record for syntax errors, DNS lookup count violations, and mechanism correctness — the most common causes of SPF failures that silently hurt deliverability.

SPF Record Syntax: How It Works

An SPF record is a TXT record at your domain root (e.g. yourdomain.com) that starts with v=spf1 and contains a space-separated list of mechanisms followed by an "all" qualifier. A typical record looks like:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:203.0.113.0/24 ~all

Each mechanism is evaluated left-to-right. include: delegates to another domain's SPF record. ip4: and ip6: authorize specific IP addresses or ranges. a authorizes the domain's A record. mx authorizes the domain's MX servers. The final ~all or -all handles mail from unauthorized sources.

The 10 DNS Lookup Limit: SPF's Most Common Failure

RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include:, a, mx, and ptr mechanism triggers a DNS query. Nested includes count too — if you include Google (1 lookup) and Google's SPF includes two more domains (2 more lookups), that's 3 lookups just for Google Workspace. A typical sender using Google + Outlook + Salesforce + Klaviyo + SendGrid can easily exceed 10 lookups.

When SPF evaluation exceeds 10 lookups, receiving servers return permerror. Under DMARC, permerror is treated as SPF failure — meaning mail from legitimate servers can be quarantined or rejected. The fix: use our SPF Record Builder to stay within the limit, or use SPF flattening to replace includes with explicit IP ranges.

~all vs -all vs ?all: Choosing the Right Qualifier

-all (hardfail) — Unauthorized mail should be rejected. Maximum enforcement, but risky if your SPF record is incomplete. Any legitimate sending source not in your SPF will be rejected.
~all (softfail) — Unauthorized mail should be accepted but marked as suspicious. This is the recommended starting point — less risk of accidentally rejecting legitimate mail.
?all (neutral) — No policy on unauthorized senders. Effectively says "I can't vouch for who sends from my domain." Provides no spam protection benefit. Avoid unless you're in a transition period.
+all — Authorizes all IPs. This is the same as having no SPF at all, and opens your domain to spoofing. Never use +all.

SPF, DKIM, and DMARC: Why All Three Matter

SPF alone is not enough. SPF checks the envelope sender (the Return-Path or MAIL FROM address in the SMTP envelope) — not the From address visible to recipients. This means a spammer can pass SPF for a legitimate-looking From address while setting a different Return-Path. DMARC closes this gap by requiring either SPF or DKIM to align with the From domain. Without DMARC, a passing SPF result provides minimal anti-spoofing protection from a user-visible perspective.

Can I have more than one SPF record?

No — having multiple SPF TXT records at the same DNS name results in permerror. If you have multiple sending sources, combine them into a single SPF record using multiple include: or ip4: mechanisms. Use our SPF Builder to create a consolidated record.

My SPF passes but mail still goes to spam. Why?

SPF is one signal among many. Check: DKIM signing is configured, DMARC policy is set, the sending IP isn't on a blacklist, complaint rates are below 0.1%, and the domain has a positive sending history. Inbox placement requires all these factors in combination.

SPF Record Validator