Skip to content
RelayPost Docs

What Is SPF?

What Is SPF?

Section titled “What Is SPF?”

SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. Receiving servers check the SPF record in your DNS to verify that incoming email originates from an approved source, helping prevent spoofing and phishing attacks.

SPF works alongside DKIM and DMARC to form a complete email authentication setup.

How SPF Works

Section titled “How SPF Works”
  1. You publish a TXT record in your domain’s DNS listing authorized sending servers
  2. A recipient’s mail server receives an email claiming to be from your domain
  3. The server looks up the SPF record for your domain
  4. It checks whether the sending server’s IP address is in the authorized list
  5. If the IP matches, SPF passes — the email is from an approved source

How to Set Up an SPF Record

Section titled “How to Set Up an SPF Record”
  1. Identify all services that send email on behalf of your domain
  2. Log in to your DNS provider (Cloudflare, Route 53, Namecheap, etc.)
  3. Create a TXT record on your root domain (e.g., yourdomain.com)
  4. Set the value to v=spf1 include:relaypost.dev ~all
  5. If you already have an SPF record, add the new include: to the existing record
  6. Verify you have only one SPF record per domain (multiple records cause failures)
  7. Test with an SPF checker tool to confirm the record is valid

Example SPF Records

Section titled “Example SPF Records”

Single provider:

v=spf1 include:relaypost.dev ~all

Multiple providers:

v=spf1 include:relaypost.dev include:_spf.google.com ~all

Frequently Asked Questions

Section titled “Frequently Asked Questions”

What does SPF ~all vs -all mean?

Section titled “What does SPF ~all vs -all mean?”

~all is a soft fail — emails from unauthorized servers are accepted but marked as suspicious. -all is a hard fail — unauthorized emails are rejected outright. Start with ~all while setting up, then consider moving to -all once you are confident all legitimate senders are listed.

Can I have multiple SPF records on one domain?

Section titled “Can I have multiple SPF records on one domain?”

No. Having multiple SPF records on the same domain causes both to fail. If you use multiple email services, combine all include: directives into a single SPF record. For example: v=spf1 include:relaypost.dev include:_spf.google.com ~all.

How do I test if my SPF record is correct?

Section titled “How do I test if my SPF record is correct?”

Use an online SPF checker tool or send a test email to a Gmail address and view the original message headers. Look for spf=pass in the Authentication-Results header. You can also use dig TXT yourdomain.com from the command line to verify the record is published.

What is the SPF 10-lookup limit?

Section titled “What is the SPF 10-lookup limit?”

SPF records are limited to 10 DNS lookups. Each include: directive counts as one lookup, and nested includes count toward the total. Exceeding 10 lookups causes SPF to return a permanent error (permerror), which means SPF effectively fails for all emails.