Resourcesarrow right
Inbox Warm-Up Agentarrow right
SPF

SPF

Configure SPF records so receiving servers can verify that ItsBot and your sending infrastructure are authorized to send on behalf of your domain.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which servers are allowed to send email for your domain.

What it is

SPF is a TXT record published in your DNS that tells inbox providers which IPs or services (like Google, Microsoft, or Mailgun) are permitted to send email using your domain.

Why it matters for deliverability

SPF helps prevent spammers from pretending to send from your domain. When SPF passes, inbox providers trust that the sending server is allowed, which improves deliverability.

How it works

When an email is received, the server checks the SPF record for the domain in the envelope sender (return-path). It then compares the sending IP against the allowed list in the SPF policy and returns a result like pass, fail, or softfail.

Example SPF DNS record

Example SPF TXT record for `example.com` sending via Google Workspace and Mailgun:

Host/Name: example.com

Type: TXT

Value: v=spf1 include:_spf.google.com include:mailgun.org ~all

  • `v=spf1` — SPF version.
  • `include:` — allow servers defined by other SPF records.
  • `~all` — soft fail for all others (not strictly allowed).
Common problems
  • Multiple SPF records on the same domain, which makes SPF invalid.
  • SPF lookup limit exceeded (more than 10 DNS lookups in one SPF check).
  • Forgetting to add all sending services, so some legitimate emails fail SPF.
  • Using `+all` which allows any server to send email for your domain.
  • Editing SPF manually and introducing syntax errors such as missing spaces or invalid mechanisms.
How to improve
  • Ensure there is only one SPF TXT record per domain and combine all mechanisms into it.
  • Add all authorized email services using their recommended `include:` values.
  • Avoid `+all` or `?all`; use `~all` (softfail) or `-all` (hard fail) once you are confident.
  • Use SPF check tools to test that your record stays under the DNS lookup limit.
  • Update your SPF record whenever you start or stop using an email-sending service.
Best practices
  • Keep the SPF record as simple and short as possible while listing all valid senders.
  • Document which tools and services are included in your SPF so changes are easy to manage.
  • Move carefully from `~all` to `-all` only when you are sure all legitimate senders are covered.
  • Check SPF results in message headers (for example, `spf=pass`) during testing.
  • Use SPF together with DKIM and DMARC for stronger protection and better inbox placement.