Learn how SPF works and how DMARC Monitor helps you keep your SPF record healthy.
SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sender is legitimate.
An SPF record is a TXT record at your domain's root. Here's an example:
This record authorizes Google Workspace, SendGrid, and a specific IP address to send email.
| Mechanism | Description |
|---|---|
| include: | Include another domain's SPF record (e.g., for email services) |
| ip4: | Authorize a specific IPv4 address or range |
| ip6: | Authorize a specific IPv6 address or range |
| a | Authorize your domain's A record IP |
| mx | Authorize your domain's MX servers |
| all | Catch-all for IPs not matching other mechanisms |
+Pass (default)
IP is authorized
-Fail
IP is NOT authorized (recommended for -all)
~SoftFail
IP is probably not authorized (email may still be delivered)
?Neutral
No assertion about the IP
SPF has a 10 DNS lookup limit. Each include: counts as a lookup. DMARC Monitor warns you when you're approaching this limit.
Forgot to add a service like Mailchimp or HubSpot? You'll see SPF failures in your DMARC reports. DMARC Monitor helps identify which services you need to add.
You can only have ONE SPF record per domain. Multiple records cause SPF to fail. Combine all mechanisms into a single record.