What does +all mean in an SPF record?

+all means "allow all servers to send email from this domain" — it effectively disables SPF protection entirely. You should always use ~all (softfail) or -all (hardfail) at the end of your record.

Is SPF enough to protect my email?

No. SPF is one layer. You also need DKIM (a cryptographic signature on outgoing emails) and DMARC (a policy that ties them together and tells receiving servers what to do when checks fail). All three work together.

Email Security

What is an SPF Record?

SPF — Sender Policy Framework — is the first line of defence against email spoofing. It tells every mail server on the internet which servers are allowed to send email on behalf of your domain.

Why email spoofing is easy without SPF

When you send an email, two different "from" addresses are involved. The envelope sender — used behind the scenes for delivery — and the header from, which is what you see in your email client. Traditional email has no way to verify either of these.

Without SPF, a criminal can configure any mail server to claim it is sending fromyourcompany.com. Many receiving servers will accept it. The recipient sees your domain name. They trust it.

SPF fixes this by publishing a list of authorised sending IP addresses in your DNS. Receiving mail servers check that list before accepting an email claiming to be from you.

What an SPF record looks like

Example SPF record

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Breaking this down:

v=spf1Declares this is an SPF record. Required.

include:_spf.google.comAuthorises Google's mail servers (e.g. if you use Gmail / Google Workspace).

include:sendgrid.netAuthorises SendGrid (e.g. for transactional email from your app).

~allSoftfail — treat anything else with suspicion. Use -all for a strict hardfail.

Common SPF mistakes

✗ Multiple SPF records

You can only have one SPF TXT record per domain. If you have two, both fail. Combine all includes into a single record.

✗ Using +all

+all authorises every server on the internet to send as you — it makes SPF useless. Always end with ~all or -all.

✗ Exceeding 10 DNS lookups

Each "include:" triggers a DNS lookup. SPF has a hard limit of 10. If you exceed it, SPF will permerror and fail.

✗ Missing third-party senders

Every service that sends email from your domain — CRM, helpdesk, invoicing tool, newsletter platform — must be in your SPF record.

SPF alone is not enough

SPF is one layer of a three-layer system. It works with:

DKIMA cryptographic signature added to outgoing emails that proves they were not tampered with in transit and genuinely came from your mail server.

DMARCA policy record that ties SPF and DKIM together and tells receiving servers what to do when an email fails — monitor, quarantine, or reject it.

Frequently asked questions

Can I have more than one SPF record?

No. Two SPF TXT records on the same domain cause a permanent error and SPF fails entirely. If you use multiple email providers, combine all their include: statements into one record.

What does +all mean?

It means "allow all servers" — which defeats the entire purpose of SPF. Always use ~all (softfail) or -all (hardfail).

Is SPF enough on its own?

No. SPF should be paired with DKIM and DMARC. Together they form a complete email authentication system. SPF alone stops some spoofing but not all — particularly "header from" spoofing which DMARC addresses.

Check your SPF record now

CQwerty Shield checks SPF, DMARC, SSL, DNS and breach exposure in one free report. No signup required.

Scan my domain — free →