W
wtoolsy.com
en 🌐
wtoolsy.com
Network, DNS, IP
Check my IP and ISP IP Geolocation DNS Records Lookup Domain WHOIS SSL Certificate SPF Record Analysis HTTP Status
Developer tools
JSON Validator & Parser Text Comparison Base64 Encoder / Decoder URL Encoder / Decoder Unix Timestamp Converter Letter Case Converter Lorem Ipsum Generator UUID Generator
SEO and page analysis
Page Header Structure Open Graph Preview Robots.txt tester Meta Tag Analyzer
Finance and calculators
VAT Calculator Percentage calculator Discount calculator Margin Calculator
Universal
Password Generator Unit converter
Articles
See all Robots.txt guide SSL errors DNS errors Secure passwords Page Header Structure DNS Record Information Text formatting styles What is an IP address / IPv4 / IPv6? HTTP Codes List What is an SPF record? Errors in SPF records
Language
English 🇬🇧 Español 🇪🇸 Deutsch 🇩🇪 Français 🇫🇷 Português 🇵🇹 Italiano 🇮🇹 Polski 🇵🇱
All articles

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send emails on behalf of your domain. It protects against spoofing — unauthorized senders pretending to be your domain.

How does SPF work?

When the recipient's server receives a message, it checks the sender domain's SPF record. It compares the IP address of the server that sent the email with the list of allowed addresses in the record. If the IP is not on the list, the message may be rejected or marked as spam.

Example SPF Record

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com ~all

SPF Record Elements

v=spf1

Version

Every SPF record must start with v=spf1. This is the only supported version of the protocol.

Mechanisms

Mechanisms specify which servers are authorized to send mail. They are checked sequentially from left to right.

Mechanism Example Description
ip4 ip4:203.0.113.0/24 Allows a specific IPv4 address or CIDR range.
ip6 ip6:2001:db8::/32 Allows a specific IPv6 address or CIDR range.
include include:_spf.google.com Includes the SPF record of another domain. Used when using third-party mail providers (Google, SendGrid, etc.).
a a:mail.example.com Allows IP addresses pointed to by the A record of a given domain. Without an argument, it checks the domain from the header.
mx mx Allows servers pointed to by the domain's MX records. Useful when the receiving server is also the sending one.
exists exists:%{i}.example.com Checks if a given DNS record exists. Rarely used, mainly in advanced configurations.
all ~all Matches all IP addresses. Always used at the end of the record as a default rule.

Qualifiers

Each mechanism can be preceded by a qualifier that determines what to do when the mechanism matches.

Symbol Name Action
+ Pass The server is authorized. Default qualifier.
- Fail The server is not authorized. Message should be rejected. The strictest policy.
~ SoftFail The server is likely not authorized. Message accepted but flagged. Recommended during SPF implementation.
? Neutral No explicit policy. Treated similarly to having no SPF record.

Modifiers

Modifiers are optional directives that change the behavior of the entire SPF record.

Modifier Description
redirect Redirects the SPF check to another domain. Replaces the entire record — cannot be used together with all.
exp Points to a domain with an explanation message for rejection. Rarely used.

10 DNS Lookup Limit

Mechanisms include, a, mx and exists perform DNS lookups. The SPF standard allows a maximum of 10 such queries — exceeding this limit results in an error permerror.