SPF Record Format
A complete reference guide to the Sender Policy Framework record format — mechanisms, qualifiers, modifiers, and real-world examples.
Anatomy of an SPF Record
v=spf1 ip4:192.0.2.1 include:_spf.google.com -all
Version
Mechanism
Mechanism
Qualifier + Catch-all
Mechanisms
Mechanisms define which servers are authorized to send email on behalf of your domain. Each mechanism counts toward the 10-DNS-lookup limit (except ip4, ip6, and all).
| Mechanism | Example | Description | DNS Lookup? |
|---|---|---|---|
| ip4 | ip4:192.0.2.0/24 | Authorize a specific IPv4 address or CIDR range | No |
| ip6 | ip6:2001:db8::/32 | Authorize a specific IPv6 address or range | No |
| a | a | Authorize the domain's A record IP addresses | Yes |
| mx | mx | Authorize the domain's MX record mail servers | Yes |
| include | include:_spf.google.com | Reference another domain's SPF record | Yes |
| all | -all | Catch-all mechanism — matches everything not previously matched | No |
| exists | exists:%{i}.spf.example.com | Check if a DNS A record exists (used in SPF macros) | Yes |
| ptr | ptr | Reverse DNS check (deprecated — do not use) | Yes |
Qualifiers
Qualifiers are prefixed to mechanisms and tell the receiving server what action to take when a match occurs. If no qualifier is specified, + (Pass) is the default.
Pass
Accept the email. The sender is authorized.
Fail
Reject the email. The sender is not authorized.
Soft Fail
Accept but mark as suspicious. Use during testing.
Neutral
No assertion. Treat as if there is no SPF policy.
Modifiers
redirect=
Directs SPF processing to another domain's SPF record. Replaces the current domain's policy entirely.
v=spf1 redirect=_spf.example.com exp=
Provides a custom explanation message when an SPF check fails. Useful for diagnostics.
v=spf1 ... -all exp=explain._spf.example.com Common SPF Record Examples
Basic — Single IP
v=spf1 ip4:192.0.2.1 -all Google Workspace + Your Server
v=spf1 ip4:192.0.2.1 include:_spf.google.com -all Google + Microsoft 365
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all A + MX Records with Soft Fail
v=spf1 a mx include:_spf.google.com ~all Best Practices
- Never use
+all— it authorizes every server on the internet - Keep DNS lookups under 10 — use SPF flattening if needed
- Regularly review and update your SPF record when changing email providers
- Test your record after every change with an SPF checker tool
- Avoid the deprecated
ptrmechanism - Prefer
-all(hard fail) over~allonce you've verified all sending sources
Don't manage SPF records manually
AutoSPF automatically flattens and optimizes your SPF record format. Setup takes 60 seconds.
What Our Customers Say
"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"
It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
Peter J.
President · Small-Business (50 or fewer emp.)
"Helped us go beyond capacity"
AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
Verified User
Financial Services · Mid-Market (51-1000 emp.)