Parse every mechanism, count DNS lookups against the RFC 7208 limit of 10, and flag common misconfigurations.
Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources.
SPF records are evaluated left to right, with each mechanism checked in
order. The first match determines the result. A critical constraint is the
10 DNS lookup limit: mechanisms like include, a,
mx, redirect, and exists each consume
one lookup. Exceeding 10 causes a permanent error (permerror), and many receivers
treat the record as invalid.
Best practice is to end your SPF record with -all (hard fail) to
explicitly reject unauthorized senders. During initial setup, ~all (soft fail) can be used while confirming all legitimate senders are covered.
| Mechanism | DNS Lookup | Description |
|---|---|---|
all | No | Catch-all default, typically the last mechanism. |
ip4 / ip6 | No | Match specific IP address or CIDR range. |
a | Yes | Match A/AAAA records of the specified domain. |
mx | Yes | Match MX hosts for the specified domain. |
include | Yes | Recursively evaluate another domain's SPF record. |
redirect | Yes | Replace evaluation with another domain's record. |
exists | Yes | Match if an A record exists for the given domain. |
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free