SPF - Sender Policy Framework
SPF is a DNS-based email authentication protocol that specifies which mail servers are authorized to send emails on behalf of a domain, thereby preventing email spoofing.
Table of Contents (5 sections)
SPF (Sender Policy Framework) is a DNS TXT record that lists authorized mail servers for a domain. Receiving mail servers check whether an incoming email was sent from a server listed in this record—and may reject it or mark it as spam if it was not.
SPF is one of the three building blocks of email authentication. The other two are DKIM (cryptographic signature) and DMARC (policy and reporting). All three are necessary for complete email protection.
How SPF works
- Sender sends email from
info@beispiel.devia server203.0.113.10 - Receiving mail system queries DNS for
TXT beispiel.de - SPF record reads:
v=spf1 ip4:203.0.113.0/24 -all - IP
203.0.113.10is within the allowed range → SPF pass - If it is not within the allowed range → SPF fail
Important: SPF checks the envelope From address (technical SMTP MAIL FROM), not the visible From: header in the email. An attacker can pass SPF and still display a false From: header—which is why DMARC (alignment check) is absolutely necessary.
SPF Record Syntax
v=spf1 [mechanisms] [modifier]Mechanisms
| Mechanism | Meaning |
|---|---|
ip4:203.0.113.0/24 | IPv4 address or range |
ip6:2001:db8::/32 | IPv6 address or range |
include:_spf.google.com | Inclusion of another domain’s SPF record |
a | The A record of your own domain |
mx | All MX records of the domain |
all | Matches all sources not previously matched |
Qualifiers (before the mechanism)
| Qualifier | Meaning | Recommendation |
|---|---|---|
+ (default) | Pass - source is authorized | For allowed sources |
- | Fail (hard fail) - source is not authorized, rejection | For all at the end |
~ | Soft fail - not authorized, but do not strictly reject | Only as a temporary measure |
? | Neutral - no statement | Avoid |
Recommended pattern:
v=spf1 include:_spf.google.com ip4:203.0.113.0/24 -allThe 10-DNS-Lookup Limit
SPF allows a maximum of 10 DNS lookups per SPF check. Each include:, a, or mx mechanism counts as one lookup. With many cloud services (Google Workspace, Microsoft 365, Salesforce, HubSpot, Zendesk...), this limit is quickly reached—and SPF aborts with a PermanentError, leading to delivery issues.
Solution: SPF flattening (resolving all includes to direct IP addresses) or using SPF macros. Regularly check with tools like MXToolbox or dmarcian.
Common SPF Errors
Missing -all at the end: Without a trailing qualifier, every server is implicitly neutral—the SPF record provides no protection.
~all instead of -all: A soft fail means recipients will still deliver the email (albeit marked as spam). Only useful during the transition phase.
Forgotten unknown mail sources: Marketing automation, CRM, ERP, ticketing systems—all send emails under the company name and must be included in the SPF record.
Subdomains: SPF records do not automatically apply to subdomains. mail.example.com needs its own SPF record.
SPF in conjunction with DMARC
SPF alone is not sufficient because:
- SPF checks the Envelope-From, not the visible From header
- SPF often fails with email forwarding (e.g., alumni addresses)
DMARC resolves both issues: It requires SPF alignment (the Envelope-From and From headers must belong to the same domain) and specifies what should happen if alignment fails.
Recommended implementation path:
- Set up SPF with
-all - Enable DKIM for all mail sources
- Enable DMARC with
p=noneand collect reports - Gradually tighten DMARC to
p=quarantine→p=reject
Further information: DMARC Wiki article | DKIM Wiki article
Sources & References
- [1] RFC 7208 - Sender Policy Framework (SPF) - IETF
- [2] Google - SPF-Eintrag einrichten - Google
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Geschäftsführender Gesellschafter der AWARE7 GmbH mit langjähriger Expertise in Informationssicherheit, Penetrationstesting und IT-Risikomanagement. Absolvent des Masterstudiengangs Internet-Sicherheit an der Westfälischen Hochschule (if(is), Prof. Norbert Pohlmann). Bestseller-Autor im Wiley-VCH Verlag und Lehrbeauftragter der ASW-Akademie. Einschätzungen zu Cybersecurity und digitaler Souveränität erschienen u.a. in Welt am Sonntag, WDR, Deutschlandfunk und Handelsblatt.
10 Publikationen
- Einsatz von elektronischer Verschlüsselung - Hemmnisse für die Wirtschaft (2018)
- Kompass IT-Verschlüsselung - Orientierungshilfen für KMU (2018)
- IT Security Day 2025 - Live Hacking: KI in der Cybersicherheit (2025)
- Live Hacking - Credential Stuffing: Finanzrisiken jenseits Ransomware (2025)
- Keynote: Live Hacking Show - Ein Blick in die Welt der Cyberkriminalität (2025)
- Analyse von Angriffsflächen bei Shared-Hosting-Anbietern (2024)
- Gänsehaut garantiert: Die schaurigsten Funde aus dem Leben eines Pentesters (2022)
- IT Security Zertifizierungen — CISSP, T.I.S.P. & Co (Live-Webinar) (2023)
- Sicherheitsforum Online-Banking — Live Hacking (2021)
- Nipster im Netz und das Ende der Kreidezeit (2017)
