← Back to blog
2026-04-11·5 min read

SPF Records Explained — Stop Email Spoofing in 10 Minutes

What is SPF?

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks SPF to verify the sender is legitimate.

Why SPF matters

Without SPF, anyone can send email pretending to be from your domain. This enables phishing attacks, business email compromise, and brand damage. SPF is also required by Google and Yahoo for bulk senders.

How to set up SPF

Add a TXT record to your DNS:

v=spf1 include:_spf.google.com include:sendgrid.net -all

The key parts:

  • 'include:' adds authorized senders (Google Workspace, SendGrid, etc.)
  • '-all' means reject all unauthorized senders (strictest)
  • '~all' means soft-fail (mark as suspicious but deliver)

    • Common SPF mistakes

  • Too many DNS lookups (max 10 — exceeding this breaks SPF)
  • Using '+all' (allows everyone — defeats the purpose)
  • Forgetting third-party senders (CRM, marketing tools)
  • Not testing after changes

    • [Check your SPF record now](/tools/spf-checker)

    Ready to check your domain?

    Run all 18 security checks in 2 minutes. Free, no signup required.

    Check your SPF