What is SPF? (Sender Policy Framework)
SPF (Sender Policy Framework) is an email authentication standard that lets a domain owner publish, in DNS, the list of mail servers authorised to send email for that domain, so receiving servers can reject or flag mail that comes from any other source.
How SPF works
SPF lives in a single DNS TXT record on your domain. When a receiving server gets a message, it looks at the envelope sender (the MAIL FROM domain), fetches that domain’s SPF record, and checks whether the connecting IP is in the authorised list. The record is a space-separated set of mechanisms, ending in an all qualifier that says how to treat everything not explicitly listed.
A typical record
v=spf1 include:_spf.poststack.dev ~all means: this is SPF version 1, authorise whatever _spf.poststack.dev authorises, and softfail (~all) anything else. Use -all (hardfail) once you are confident every legitimate source is covered; ~all is the safer default while you are still mapping your senders.
The 10-lookup limit
SPF evaluation is capped at 10 DNS lookups. Every include, a, mx, and redirect counts. Stack enough provider includes and you blow the limit, the record returns permerror, and many receivers treat that as an outright failure. If you hit it, flatten the record or consolidate the number of services sending from your apex domain.
Why SPF needs DKIM and DMARC
SPF breaks on forwarding — the forwarder’s IP is not in your record — and it only checks the invisible envelope sender, not the From: header the recipient actually sees. DKIM survives forwarding, and DMARC ties authentication back to the visible From: domain through alignment. The three are designed to be used together, not as alternatives.
Frequently asked questions
What does an SPF record look like?
An SPF record is a single DNS TXT record at your domain apex, for example "v=spf1 include:_spf.poststack.dev ~all". The include mechanism delegates to your email provider’s published list of sending IPs, and the trailing ~all (softfail) or -all (hardfail) tells receivers how strict to be about mail from sources not on the list.
What is the SPF 10-lookup limit?
SPF allows a maximum of 10 DNS lookups when evaluating a record (counting every include, a, mx, and redirect). Exceed it and the record returns a permerror, which most receivers treat as a failure. This is why stacking many provider includes breaks SPF — the fix is SPF flattening or reducing the number of sending services on the apex.
Does SPF survive email forwarding?
Often not. When a message is forwarded, the forwarding server becomes the new sending IP, which usually is not in the original domain’s SPF record, so SPF fails. DKIM survives forwarding because the signature travels with the message — which is exactly why DMARC accepts either SPF or DKIM alignment rather than requiring both.