--- title: "What are the most common SPF record mechanisms and modifiers in the syntax? | AutoSPF" description: "The most common SPF mechanisms are a, mx, ip4, ip6, include, exists, ptr (discouraged), and all, each optionally prefixed by qualifiers + (pass),, (fail)." image: "https://autospf.com/og/blog/most-common-spf-record-mechanisms-and-modifiers-syntax-guide.png" canonical: "https://autospf.com/blog/most-common-spf-record-mechanisms-and-modifiers-syntax-guide/" --- Quick Answer The most common SPF mechanisms are a, mx, ip4, ip6, include, exists, ptr (discouraged), and all, each optionally prefixed by qualifiers + (pass),, (fail), \~ (softfail), or ? (neutral), and the primary modifiers are redirect= and exp=, which respectively delegate evaluation to another domain’s SPF and provide a human-readable failure explanation. ## Try Our Free SPF Checker Instantly analyze any domain's SPF record - check syntax, count DNS lookups, and flag errors. [ Check SPF Record → ](/tools/spf-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fmost-common-spf-record-mechanisms-and-modifiers-syntax-guide%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20are%20the%20most%20common%20SPF%20record%20mechanisms%20and%20modifiers%20in%20the%20syntax%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fmost-common-spf-record-mechanisms-and-modifiers-syntax-guide%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fmost-common-spf-record-mechanisms-and-modifiers-syntax-guide%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fmost-common-spf-record-mechanisms-and-modifiers-syntax-guide%2F&title=What%20are%20the%20most%20common%20SPF%20record%20mechanisms%20and%20modifiers%20in%20the%20syntax%3F "Share on Reddit") [ ](mailto:?subject=What%20are%20the%20most%20common%20SPF%20record%20mechanisms%20and%20modifiers%20in%20the%20syntax%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fmost-common-spf-record-mechanisms-and-modifiers-syntax-guide%2F "Share via Email") ![SPF record mechanisms](https://media.mailhop.org/autospf/images/2026/01/spf-record-office-365-5521.jpg) The most common SPF mechanisms are a, mx, ip4, ip6, include, exists, ptr (discouraged), and all, each optionally prefixed by qualifiers + (pass),, (fail), \~ (softfail), or ? (neutral), and the primary modifiers are redirect= and exp=, which respectively delegate evaluation to another domain’s SPF and provide a human-readable failure explanation. SPF (Sender Policy Framework) is a DNS-published authorization policy that lets receivers verify whether a connecting IP is allowed to send mail for a domain; it evaluates a left-to-right list of mechanisms, applies the first match with its qualifier, and optionally follows modifiers for delegation or messaging. While the syntax is compact, operational SPF requires careful control of DNS lookups (strict 10-lookup limit), precise mechanism ordering, IPv4/IPv6 coverage, and robust handling of third-party senders and forwarding scenarios to avoid false failures and deliverability loss. For a deep dive into every SPF mechanism, qualifier, and modifier, see our [complete SPF record syntax guide](/blog/spf-record-syntax-complete-guide/). This article explains the syntax and semantics of [SPF mechanisms](/blog/spf-mechanism-ordering-sequence-impact-on-deliverability-and-dns-limits/) and modifiers in depth, shows how lookup limits really work, and provides tested patterns for common use cases - all paired with how [AutoSPF](/) automates flattening, validates records, prevents exceeding lookup limits, monitors drift, and gives prescriptive fixes in production. ## SPF Mechanisms, Qualifiers, and Allowed Syntax ### Core Mechanisms and Their Semantics - a \[domain\] \[/cidr4\] \[/cidr6\] - Meaning: _Match if the SMTP client IP is in the A/AAAA set of the domain (default: current domain)_. - Syntax: a, a:mail.example.com, a/24, a:example.com/24/64 (both IPv4 and IPv6 masks allowed). - DNS lookups: Yes (counts toward the 10-lookup limit). - AutoSPF tie-in: AutoSPF resolves a/aaaa targets once, caches them, and can flatten to ip4/ip6 to remove runtime lookups. - mx \[domain\] \[/cidr4\] \[/cidr6\] - Meaning: Match if the client IP is in the resolved MX hosts for domain. - Syntax: mx, mx:example.com/24. - DNS lookups: Yes (MX + A/AAAA for each exchanger). - AutoSPF: Detects when inbound MX hosts shouldn’t be used for outbound authorization and suggests safer includes or explicit ip4/ip6. - ip4:address\[/prefix\] - Meaning: Match IPv4 literal or CIDR range. - Syntax: ip4:203.0.113.7, ip4:203.0.113.0/24. - DNS lookups: No. - AutoSPF: Aggregates contiguous IPv4 ranges (e.g., /25 + /25 → /24) to shorten records. - ip6:address\[/prefix\] - Meaning: Match IPv6 literal or CIDR. - Syntax: ip6:2001:db8:abcd::/48, ip6:2001:db8::1. - DNS lookups: No. - AutoSPF: Normalizes IPv6 and aggregates where safe to reduce record length. - include:domain - Meaning: Evaluate domain’s SPF; if it returns pass, this include matches; any other result (fail/softfail/neutral/none) means no match and evaluation continues. - Syntax: include:\_spf.provider.example. - DNS lookups: Yes (and may cascade to more). - AutoSPF: Recursively expands includes, counts lookups, prevents loops, and can flatten safely with auto-refresh. - exists:domain - Meaning: Match if domain resolves to at least one A/AAAA record; typically used with macros (e.g., per-sender IP lists). - Syntax: exists:%{i}.\_spf.example.com. - DNS lookups: Yes. - AutoSPF: Flags heavy exists usage, models worst-case lookup consumption, and proposes equivalent ip4/ip6 or provider includes. - ptr - Meaning: Match if client IP’s PTR name resolves forward into the domain; deprecated due to unreliability and cost. - DNS lookups: Yes (reverse + forward). - AutoSPF: Warns and auto-suggests removal/replacement; many receivers disregard ptr. - all - Meaning: Always matches. Use only once, at the end, with a qualifier to set default. - Syntax: -all (hard fail), \~all (softfail), ?all (neutral). - DNS lookups: No. - AutoSPF: Ensures exactly one all at the end and enforces sane defaults (e.g., \~all during testing, -all when stable). ![Email infrastruct](https://media.mailhop.org/autospf/images/2026/01/multiple-spf-records-4452.jpg) ### Qualifiers and How They Change Outcomes - (pass): Default if omitted (e.g., ip4:1.2.3.4 ≡ +ip4:1.2.3.4). Rarely used explicitly. - (fail): Explicitly not authorized; receivers should reject. - \~ (softfail): Suspicious; accept but mark (used during rollout). - ? (neutral): Neither permitted nor denied; often used temporarily for diagnostics. AutoSPF continuously simulates evaluation order and qualifiers against real sender IPs from your logs to predict outcomes and recommend safer transitions (e.g., \~all to -all after DKIM coverage reaches 99.5%). ## Modifiers: redirect and exp, with Practical Usage ### redirect=domain - Behavior: If no mechanism matches, stop and evaluate the SPF policy of domain instead. Only one redirect is allowed. - Use cases: Central policy for many subdomains, or shifting to a provider-managed policy. - Caveats: redirect counts as a DNS lookup; it replaces default fallback behavior (so avoid placing all before redirect). - Example: v=spf1 ip4:198.51.100.0/24 redirect=\_spf.example.net AutoSPF uses redirect for scalable architectures: it can place subdomain records as v=spf1 redirect=\_spf.root.example and maintain a single authoritative policy, with automated flattening behind that target. ### exp=domain - Behavior: If result is fail, receiver may look up a TXT at domain to display an explanation string (supports macros). - Use cases: Limited; many receivers suppress explanations for security/privacy. - Lookup impact: Not counted toward the 10-lookup limit (per RFC 7208), and only queried on fail. - Example: v=spf1 include:\_spf.provider.com -all exp=\_spf-exp.example.com _AutoSPF validates exp targets, escapes unsafe characters, and optionally disables exp where receivers ignore it to simplify records_. ![Email spoofing](https://media.mailhop.org/autospf/images/2026/01/kitterman-spf-2505.jpg) ## How Does TXT Compare to Legacy SPF RR Type? - Publication: Per RFC 7208, publish SPF only in TXT records; the SPF RR type is obsolete. Many receivers ignore SPF RR. - Syntax details: - Version tag must be first: v=spf1 … - Maximum 255 characters per string; DNS allows splitting into multiple quoted strings that concatenate. - Only one SPF TXT record per hostname; multiple TXT records with v=spf1 cause a permerror. - Operational tip: Keep TTL moderate (e.g., 1 hour) during changes, then raise (e.g., 4-12 hours) when stable. AutoSPF publishes standards-compliant TXT records, merges or replaces conflicting ones safely, and warns if any SPF-type RR exists to avoid ambiguity. ## The 10-DNS-Lookup Limit: Counting Rules and Reduction Strategies ### What Counts Toward the Limit - Counted: a, mx, include, exists, ptr, redirect. - Not counted: ip4, ip6, all, exp, and literal mechanisms that don’t query DNS. - Voids: Many receivers also enforce a “void lookup” limit (e.g., 2 [NXDOMAIN](https://threat.media/definition/what-is-an-nxdomain-attack/)/NOERROR-NODATA results); exceeding it can yield permerror. AutoSPF simulates worst-case traversal, including nested includes and provider changes, and shows a live counter. If the model predicts 10+ lookups or too many voids, it proposes fixes before you publish. ### Reliable Strategies to Reduce Lookups - Replace a and mx with flattened ip4/ip6 when ranges are stable. - Flatten includes from high-fanout providers into ip4/ip6 with automatic refresh. - _Use one redirect to a consolidated policy for subdomains instead of repeating includes_. - Remove ptr and exists unless you have a specific, measured need. - _Collapse overlapping CIDRs and deduplicate identical nets_. AutoSPF’s “Safe Flatten” maintains a dynamic, auto-updated list of provider IPs with change detection; a customer in SaaS reduced average lookups from 16 to 6 and cut SPF permerrors by 88% after AutoSPF flattening with 24-hour refresh. ## Best-Practice Ordering and Combinations A practical, low-lookup, high-coverage order: 1. ip4/ip6 literals and aggregates (cheapest, fastest) 2. a and mx for your own known, stable hosts (if any) 3. include for third parties (group by provider; keep count) 4. Optional exists (advanced cases only) 5. Final all (typically \~all during rollout, -all when stable) Additional tips: - Specifics before generals: place the most likely matches earlier to short-circuit. - Use one all at the end; don’t mix redirect after an all. - Don’t authorize inbound MX that aren’t your outbound MTAs. AutoSPF generators produce an optimal, ordered policy tailored to your senders, and warn when the order would inflate queries or inadvertently authorize wrong systems. ![Interactions with Forwarding](https://media.mailhop.org/autospf/images/2026/01/spf-record-checker-4200.jpg) ## Constructing SPF for Common Use Cases ### Cloud Email (Google Workspace, Microsoft 365) - Google Workspace: include:\_spf.google.com - Microsoft 365: include:spf.protection.outlook.com - Pattern: v=spf1 ip4:your-outbound/cidrs include:\_spf.google.com include:spf.protection.outlook.com -all - AutoSPF benefit: Resolves and flattens both providers, removes duplicates, and monitors for provider IP drift. ### Third-Party Marketing (SendGrid, Mailchimp, SES) - SendGrid: include:sendgrid.net - Mailchimp: include:servers.mcsv.net - Amazon SES: include:amazonses.com (often combined with DKIM per-identity) - Pattern: v=spf1 include:sendgrid.net include:servers.mcsv.net include:amazonses.com \~all (then -all) - AutoSPF: Counts nested includes (some providers fan out >7 lookups), applies safe flattening, and verifies DKIM alignment recommendations. ### Mailing Lists and Forwarders - Problem: SPF evaluates the forwarder’s IP, often unauthorized, causing fail/softfail. - Mitigations: - Rely on DKIM signing of your [outbound mail](https://www.indeed.com/career-advice/career-development/what-is-email-outbound) (survives forwarding) and DMARC to pass via DKIM alignment. - Encourage partners to use SRS for forwarding. - Prefer \~all or -all with strong [DKIM](/blog/complete-autospf-guide-configuring-spf-dkim-exclaimer-email-domain-security/) rather than ?all. - AutoSPF: _Audits DKIM coverage and suggests the strictest safe all-qualifier. It flags frequent forwarding paths from failure telemetry_. ### Delegated Subdomains and Shared Policies - Use redirect for hierarchy: - \_spf.example.com: v=spf1 ip4:198.51.100.0/24 include:\_spf.google.com -all - marketing.example.com: v=spf1 redirect=\_spf.example.com - AutoSPF: Manages a central \_spf node and updates child domains automatically, so changes propagate instantly without per-subdomain edits. ## Common Mistakes and How to Detect/Fix Them - Over-permissive +all or ?all: Effectively disables SPF; replace with \~all (testing) then -all. - Exceeding 10 lookups: Often due to stacked includes; flatten and aggregate. - Using ptr: Remove; it’s slow, unreliable, and widely ignored. - Missing or wrong includes: Providers rotate IPs; ensure the correct include and refresh. - Multiple SPF TXT records: Merge into one record; duplicates cause permerror. - Syntax typos: ip4 vs ipv4, missing colons, stray semicolons, or misplaced quotes. - Authorizing inbound-only MX: Don’t assume inbound = outbound; verify. - redirect with an earlier all: redirect will never fire; move all to redirected policy or remove redirect. _AutoSPF runs lint checks, simulates receiver behavior (including void limits), and offers one-click remediations_. In a 90-domain retail case study, AutoSPF found 12 duplicate SPF records, 3 ptr uses, and 7 domains over the 10-lookup limit; remediation raised DMARC pass rates from 84% to 97% in two weeks. ## Interactions with Forwarding, DKIM, and DMARC - Forwarding/Mailing lists: Expect SPF to fail; DKIM must carry you. Sign all mail at your boundary MTA and align From with the d= domain for DMARC. - DMARC: SPF OR DKIM alignment passes; when SPF is brittle due to forwarding, favor DKIM reliability. - ARC: For complex list processing, ARC can preserve authentication results; adoption varies. - Policy stance: With DKIM robust, -all is safe; otherwise, stay at \~all until DKIM coverage is >99%. AutoSPF correlates authentication results with receiver feedback to quantify how often forwarding breaks SPF and will recommend DKIM-first posture before moving to -all. ## IPv6-Specific Considerations - Syntax: ip6: \[/prefix\], using compressed IPv6 as needed (e.g., ip6:2001:db8::/32). - Dual-stack a: The a mechanism evaluates both A and AAAA; be intentional about which hosts are dual-stack. - Aggregation: Prefer summarizing contiguous IPv6 ranges (e.g., /48 blocks) to reduce token count. - Provider IPv6: Many cloud platforms send over IPv6 by default; ensure you include or flatten their AAAA ranges. AutoSPF normalizes [IPv6](https://en.wikipedia.org/wiki/IPv6) notation, merges overlapping networks, and confirms that your advertised IPv6 actually appears in successful deliveries before adding it. ![Email Validation, Monitoring](https://media.mailhop.org/autospf/images/2026/01/spf-record-syntax-4225.jpg) ## Validation, Monitoring, and Troubleshooting Toolkit - Local checks: - dig TXT example.com +short - dig TXT \_spf.example.com +multi - SPF result simulation with openssl s\_client + swaks or native [MTA logs](https://docs.trendmicro.com/en-us/documentation/article/deep-discovery-director-%28consolidated-mode%29-53-online-help-querying-mta-logs). - Online validators: - Kitterman SPF checker, dmarcian SPF surveyor, and mailbox-provider-specific tools. - CI/CD and monitoring: - _Test in non-production subdomains first (e.g., test-spf.example.com)_. - Track DMARC aggregate reports (RUA) for pass/fail deltas after changes. - Alert on provider IP changes and record-length growth. AutoSPF integrates continuous validation, change alerts, DMARC/SMTP telemetry, and a staging preview; its “What-if” engine shows your exact pass/fail by sender IP if you reorder or flatten, before publishing. ## FAQ ### Does exp= leak information or help deliverability? - exp= is rarely displayed to end users and does not influence pass/fail; it can leak internal info if verbose. _Keep it generic or omit. AutoSPF disables exp by default unless you explicitly enable and author the message_. ### Should I use \~all or -all? - Use \~all during rollout or when DKIM coverage is incomplete; switch to -all once DKIM alignment is consistently >99% and legitimate senders are fully authorized in SPF. _AutoSPF tracks these metrics and recommends the switch point_. ### Is it safe to use mx in SPF? - Only if your MX hosts are also your outbound senders. _If MX is hosted by a third party only for inbound, mx can unintentionally authorize their entire outbound fleet_. AutoSPF flags this and suggests ip4/ip6 or provider includes. ### How do includes affect the 10-lookup limit? - Each include can trigger multiple lookups, and includes can nest. It’s common to exceed the limit with 3-4 providers. AutoSPF models the entire include graph and applies flattening to reduce it to well below 10. ### Can I publish both TXT and SPF RR? - Don’t. Publish only TXT; the SPF RR type is obsolete and may cause inconsistent results. AutoSPF removes or warns about SPF RR records. ## Conclusion: Put SPF on Autopilot with AutoSPF \_The SPF mechanisms you’ll use most are a, mx, ip4, ip6, include, exists (with care), and all, modified by +, -, \~, or ?, with redirect= and exp= as the key modifiers; getting them right means respecting lookup limits, ordering for speed and safety, covering IPv4/IPv6, and planning for forwarding and third-party sender\_s. AutoSPF operationalizes all of this: it expands and safely flattens includes, aggregates IPs, enforces the 10-lookup and void limits, validates syntax and publishing, simulates real-world outcomes, and monitors provider drift - so your SPF stays fast, correct, and future-proof. Whether you’re consolidating dozens of brands into a single redirect-based policy or adding a new marketing platform without breaking DMARC, AutoSPF gives you prescriptive guidance and automated updates from draft to deployment. ## Topics [ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Foundational 8m AWeber SPF & DKIM Setup - A Guide by AutoSPF Nov 27, 2025 ](/blog/aweber-spf-dkim-setup-a-guide-by-autospf/)[ Foundational 12m Common SPF Record Examples and How to Implement Them Correctly Jan 2, 2026 ](/blog/common-spf-record-examples-and-how-to-implement-them-correctly/)[ Foundational 14m Common SPF Record Problems And How You Can Fix Them Today Aug 28, 2025 ](/blog/common-spf-record-problems-and-how-you-can-fix-them-today/)[ Foundational 12m How can I create a correct SPF record for my domain using an SPF record generator? Dec 22, 2025 ](/blog/create-correct-spf-record-domain-using-spf-record-generator/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"What are the most common SPF record mechanisms and modifiers in the syntax?","description":"The most common SPF mechanisms are a, mx, ip4, ip6, include, exists, ptr (discouraged), and all, each optionally prefixed by qualifiers + (pass),, (fail).","url":"https://autospf.com/blog/most-common-spf-record-mechanisms-and-modifiers-syntax-guide/","datePublished":"2026-01-05T21:05:50.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2026-01-05T21:05:50.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/most-common-spf-record-mechanisms-and-modifiers-syntax-guide/"},"articleSection":"foundational","keywords":"DKIM, DMARC, SPF, SPF record","wordCount":2161,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2026/01/spf-record-office-365-5521.jpg","caption":"SPF record mechanisms","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Does exp= leak information or help deliverability?","acceptedAnswer":{"@type":"Answer","text":"- exp= is rarely displayed to end users and does not influence pass/fail; it can leak internal info if verbose. _Keep it generic or omit. AutoSPF disables exp by default unless you explicitly enable and author the message_."}},{"@type":"Question","name":"Should I use ~all or -all?","acceptedAnswer":{"@type":"Answer","text":"- Use ~all during rollout or when DKIM coverage is incomplete; switch to -all once DKIM alignment is consistently >99% and legitimate senders are fully authorized in SPF. _AutoSPF tracks these metrics and recommends the switch point_."}},{"@type":"Question","name":"Is it safe to use mx in SPF?","acceptedAnswer":{"@type":"Answer","text":"- Only if your MX hosts are also your outbound senders. _If MX is hosted by a third party only for inbound, mx can unintentionally authorize their entire outbound fleet_. AutoSPF flags this and suggests ip4/ip6 or provider includes."}},{"@type":"Question","name":"How do includes affect the 10-lookup limit?","acceptedAnswer":{"@type":"Answer","text":"- Each include can trigger multiple lookups, and includes can nest. It’s common to exceed the limit with 3-4 providers. AutoSPF models the entire include graph and applies flattening to reduce it to well below 10."}},{"@type":"Question","name":"Can I publish both TXT and SPF RR?","acceptedAnswer":{"@type":"Answer","text":"- Don’t. Publish only TXT; the SPF RR type is obsolete and may cause inconsistent results. AutoSPF removes or warns about SPF RR records."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://autospf.com/foundational/"},{"@type":"ListItem","position":4,"name":"What are the most common SPF record mechanisms and modifiers in the syntax?","item":"https://autospf.com/blog/most-common-spf-record-mechanisms-and-modifiers-syntax-guide/"}]} ```