What is SPF?
SPF stands for Sender Policy Framework. It's a DNS record that lists which mail servers are authorised to send email on behalf of your domain.
When an email arrives claiming to be from yourcompany.com, the receiving mail server looks up your SPF record and checks whether the sending server's IP address is on the list. If it is, SPF passes. If it isn't, SPF fails.
How an SPF record looks
An SPF record is a TXT record published at your domain root. Here's a typical one for a Microsoft 365 organisation:
v=spf1 include:spf.protection.outlook.com ~allBreaking this down:
v=spf1— declares this is an SPF recordinclude:spf.protection.outlook.com— authorises Microsoft 365's sending servers~all— for everything else, softfail (mark as suspicious but don't reject)
Common SPF includes by service
| Service | SPF include to add |
|---|---|
| Microsoft 365 | include:spf.protection.outlook.com |
| Google Workspace | include:_spf.google.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| HubSpot | include:_spf.hubspot.com |
| Zendesk | include:mail.zendesk.com |
If you use multiple services, all of them go in a single SPF record:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:mail.zendesk.com ~allOnly one SPF record
You can only have one SPF record per domain. If you publish two, SPF breaks entirely. Always edit your existing record — never add a second one.
The SPF lookup limit
SPF has a hard limit of 10 DNS lookups per evaluation. Each include: directive counts as one lookup, and many includes chain into further lookups. It's surprisingly easy to exceed this limit, especially if you use several email services.
When the limit is exceeded, SPF returns permerror — which most receivers treat the same as a fail. Sentura will warn you when you're approaching this limit and can generate a flattened SPF record that replaces all the includes with direct IP ranges, using only one lookup.
SPF limitations
SPF has one significant weakness: it only checks the envelope sender — the technical address used in the SMTP handshake. It doesn't check the From: address that appears in the email client. This is why SPF alone isn't enough — a spoofed message can still pass SPF if the attacker uses the right envelope domain. DMARC closes this gap by requiring alignment between the authenticated domain and the visible From: address.