arrobaMail
Deliverability · Authentication

SPFthe gatekeeper of your domain

Sender Policy Framework

Sender Policy Framework is the DNS record that tells receiving servers which IPs and servers are allowed to send mail using your domain in the sender address. Without a properly configured SPF, your campaigns end up in spam or get rejected.

arrobaMail · DeliverabilitySPF
Concept

What is SPF and why does it exist?

SPF (Sender Policy Framework) is an open standard defined in RFC 7208. It works like an allowlist: you publish in your domain's DNS which servers are authorized to send mail on your behalf.

When Gmail, Outlook, or any receiving server gets a mail with sender "@yourdomain.com", it checks the domain's SPF record. If the sending server's IP is on the list, the mail passes SPF verification. If not, it's treated as suspicious.

Without SPF, anyone can forge your sender address (spoofing). With a misconfigured SPF, your legitimate mail lands in spam.

Anatomy

Anatomy of an SPF record

Real example

v=spf1 include:_spf.arrobamail.com ~all
v=spf1

Version

Indicates this is an SPF version 1 record. Mandatory at the start.

include:_spf.arrobamail.com

Include mechanism

Imports arrobaMail's authorized servers. You can have several includes (one per provider that sends on your behalf).

~all

Policy

~all = softfail (mark as suspicious). -all = hardfail (reject). ?all = neutral. Start with ~all and move to -all once you're confident.

Step by step

How to set it up correctly

Steps in order. Skipping one usually leads to problems that take days to diagnose.

  1. 01

    Identify every service that sends on your behalf

    List each tool that sends email using your domain: your marketing platform (arrobaMail), Google Workspace, Microsoft 365, CRM, ticketing system, transactional senders, etc.

    Tip: If you forget one, its mail will fail SPF.

  2. 02

    Gather each provider's include

    Each platform publishes its own include. arrobaMail's is include:_spf.arrobamail.com. Google's is include:_spf.google.com. Outlook's is include:spf.protection.outlook.com.

  3. 03

    Build a single TXT record

    Your domain must have exactly one SPF record (not multiple). Combine all includes into a single line: v=spf1 include:_spf.arrobamail.com include:_spf.google.com ~all.

    Tip: Having two SPF records is a very common mistake that invalidates authentication.

  4. 04

    Publish the TXT record in your DNS

    In your DNS provider (Cloudflare, GoDaddy, Route53, etc.) create a TXT record with Name = @ (or your root domain) and Value = the SPF string you built.

  5. 05

    Verify propagation and syntax

    Propagation can take anywhere from minutes to 24 hours. Use the verification tools from the next step to confirm it's active and error-free.

Common mistakes

What breaks often (and how to fix it)

Having more than one SPF record

If you publish two TXT records with v=spf1, receivers discard both as invalid.

How to fix it: Consolidate into a single record with all the necessary includes.

Exceeding the 10 DNS lookup limit

SPF has a hard limit of 10 lookups (each include counts as one or more). Exceeding it causes a permerror.

How to fix it: Audit your includes and remove providers you no longer use. If you're still over 10, use manual flattening or SPF flattener tools.

Forgetting the final all mechanism

A record without ~all or -all implicitly defaults to ?all (neutral), leaving the door open to spoofing.

How to fix it: Always close with ~all (safe initial mode) and move to -all once you confirm all your sends pass.

Using -all too early

If you jump straight to -all with incomplete includes, your legitimate mail will be rejected with no chance of review.

How to fix it: Start with ~all, monitor DMARC reports for a few weeks, and only then move to -all.

Verification

How to confirm it's set up right

Three ways to check — from your terminal or online tools. If all of them return OK, you're done.

01

Linux/Mac terminal

dig TXT tudominio.com +short

Returns the SPF string if it's published.

02

Windows PowerShell

Resolve-DnsName -Type TXT tudominio.com

Lists the TXT records, including the SPF one.

03

Online

mxtoolbox.com/spf.aspx

Full analysis with error and warning detection.

How arrobaMail handles it

At arrobaMail we help you configure SPF step by step from the dashboard: we give you the exact include, validate the syntax of the record you want to publish, and monitor verification once it's active.

Frequently asked questions

What people ask most about SPF

No. Only one SPF record (a single TXT with v=spf1) is allowed per domain. Having two invalidates authentication. What you can have is multiple includes within that single record.

Not automatically. Each subdomain can have its own SPF. If you don't set one, behavior depends on the receiver — some consider the root domain's SPF, others treat it as having no policy. The safest approach is to publish SPF on subdomains you send from too.

It depends on your DNS's TTL. For most providers it's between 5 minutes and 4 hours. In extreme cases, up to 24-48 hours. Cloudflare usually propagates in under 5 minutes.

If you have ~all, receivers flag it as suspicious (it may land in spam). If you have -all, they reject it outright. That's why it's crucial to list every legitimate service before moving to -all.

No. They're complementary. SPF authenticates the sending server. DKIM authenticates the message content with a cryptographic signature. DMARC combines both and enforces a policy. Ideally, you have all three in place.

Get started with arrobaMail
in under 5 minutes.

Free plan, AI generations included, no credit card required — and real support from a real team.

Try it free now
WhatsAppOur team replies