TXT
TXT Record — SPF
SPF is published as a TXT record at your domain root. Learn the exact format, mechanisms, qualifiers, and the 10-lookup limit.
Record Type
TXT
Category
Authentication (TXT)
Authentication (TXT)
RFC
RFC 7208
RFC 7208
Email Relevant
Yes
Yes
Format
TXT "v=spf1 <mechanisms> <qualifier>all"
Example
TXT "v=spf1 include:_spf.google.com ip4:203.0.113.5 -all"
TTL Guidance
3600 s; lower (300 s) during rollout so failures expire quickly
3600 s; lower (300 s) during rollout so failures expire quickly
💬 What This Record Does
Sender Policy Framework (SPF) is published as a TXT record at your bare domain (e.g., example.com). It lists which IP addresses and services are allowed to send email on your behalf. Receiving servers check this record against the sending IP and use the result — Pass, Fail, SoftFail — to decide whether to accept or reject the message. SPF alone doesn't stop spoofing; it must be combined with DMARC for full protection.
Common Uses
- Authorising Google Workspace, Microsoft 365, or other ESPs to send from your domain
- Hardening your domain against spoofing as part of a SPF + DKIM + DMARC setup
- Diagnosing delivery failures caused by unauthorised senders
⚠️ Watch Out For
- There must be exactly one SPF TXT record on your domain root — multiple records cause a permerror.
- SPF has a limit of 10 DNS lookups. Exceeding it causes a permerror treated as a hard fail.
- SPF only protects the envelope sender (Return-Path), not the From: header visible to users.