What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record listing the IP addresses and mail servers authorised to send email on behalf of their domain.

How SPF works

When a receiving mail server gets an email, it checks the sending server’s IP address against the SPF record of the domain in the envelope sender (Return-Path). If the IP is listed, the email passes SPF. If not, it fails.

An SPF record is a single DNS TXT record at the root domain:

v=spf1 include:_spf.google.com include:sendgrid.net -all

The -all mechanism at the end means “reject everything not explicitly listed.”

SPF limitations

SPF alone does not prevent spoofing of the visible From address (which recipients see in their email client). SPF only validates the envelope sender, which can differ from the From header. This gap is why DMARC alignment is necessary - it requires the SPF-validated domain to match the From header domain.

SPF also has a 10 DNS lookup limit. Organisations with many sending services can exceed this limit, causing SPF to fail entirely.

SurfaceLoop checks SPF records across all your domains, validates syntax, counts DNS lookups, and flags missing or misconfigured records.

Map your attack surface - first scan free