SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which IP addresses are authorised to send email on behalf of your domain.
When a message arrives claiming to be from you@yourcompany.com, the receiving server checks your domain’s SPF record to confirm that the sending server’s IP address is on your approved list. If it is not, the message may be flagged as suspicious or rejected.
What an SPF record looks like
For Google Workspace, your SPF record looks like:
v=spf1 include:_spf.google.com ~all
This says: “accept email from all servers in Google’s SPF list; treat anything else as suspicious (softfail).”
For Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
The -all (hardfail) tells receivers to reject messages that don’t match — more strict than ~all (softfail).
SPF and inbox placement rate
SPF is one of three authentication mechanisms that affect inbox placement rate (IPR). A missing or broken SPF record is one of the most common causes of messages landing in spam.
The relationship: SPF tells receivers “this IP is allowed to send for this domain.” Without SPF, receivers have to make a trust decision with less information — and often err on the side of spam-flagging.
With a correctly configured SPF record, your domain passes the first of three authentication checks. Passing all three (SPF, DKIM, DMARC) is the baseline for strong deliverability.
SPF limitations
SPF only checks the envelope sender (the technical MAIL FROM address), not the From header the recipient sees. This means a spammer can pass SPF checks while still spoofing the visible From address — which is why DKIM and DMARC are needed on top of SPF.
SPF also breaks when email is forwarded: the forwarder’s IP is not on your SPF list, so forwarded messages often fail SPF. DKIM survives forwarding; SPF does not.
Checking your SPF record
To check your current SPF record: dig TXT yourcompany.com | grep spf or use MXToolbox’s SPF checker.
Common problems to look for:
- Missing SPF record entirely
- Multiple SPF records (only one is allowed — merge them)
- SPF record that does not include your email host’s sending IPs
- Too many DNS lookups (SPF allows a maximum of 10 “include” lookups)