SPF glossary

What does the exp modifier do in an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

exp= points to a TXT record whose text becomes the human-readable explanation a receiver *may* attach when your mail fails SPF. In practice almost no receivers display it, and DMARC reporting has made it effectively obsolete — failure visibility now comes from aggregate reports, not explanation strings. Safe to omit.

exp= at a glance
Tagexp (modifier)
Valid valuesexp=<domain> — a domain whose TXT record holds the explanation text (macros allowed)
DefaultOptional. If absent or broken, receivers just use their own default message — no error.
Where it goesAnywhere after v=spf1; at most one per record. Most records rightly have none.

How exp= works

When a message fails SPF, a receiver that honors exp= looks up the TXT record at the named domain, expands any macros, and includes the resulting text in its rejection — in theory giving the sender a custom, helpful error like “see https://example.com/spf for help.”

In practice, the theory never landed: almost no receivers fetch or display the text, so the modifier mostly adds one more DNS name to keep alive for an audience that isn't looking. The visibility problem it tried to solve is now handled properly by DMARC aggregate reporting, which shows you every failing source in structured data. If you're deciding whether to add exp= — don't. If you find one in an old record, removing it changes nothing.

Correct record vs common mistake

Correct

v=spf1 ip4:192.0.2.10 -all

No exp at all — the modern record. Failure visibility comes from DMARC reports, not explanation strings.

Common mistake

v=spf1 ip4:192.0.2.10 -all exp=explain._spf.example.com

Not invalid — just pointless. Almost no receivers display the text, and it's one more DNS name to keep alive forever.

Troubleshooting exp=

IssueLikely causeFix
The exp target TXT record was deleted — did anything break?Nothing — receivers that would use exp simply fall back to their own default messageTake the opportunity to remove the exp modifier from the record too
Bounce messages don't show the custom textMost receivers never fetch or display exp — expected behaviorUse DMARC aggregate reports for failure visibility instead of explanation strings
A checker flags exp as unnecessaryIt is — the modifier is effectively obsolete in practiceRemove it; smaller records have fewer things to maintain and fewer ways to confuse the next reader

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Harmless, but it's clutter — and at 50–200 tenants, clutter compounds: every exp= in a client template is an extra DNS name to keep alive and an extra line for the next tech to puzzle over, purchased for a message no receiver shows. Strip it from your templates; spend the attention on the parts of the record that decide delivery.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

The visibility `exp=` promised is what DMARC reports actually deliver. Palisade reads them for every client domain — every failing source, in structured data — and turns that evidence into safe policy advancement to `p=reject`, which no explanation string ever did.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

Almost never. Support for displaying it has always been rare, and it's rarer now. Don't count on anyone seeing it.

No. It solves a visibility problem that DMARC aggregate reporting solves properly. Omit it in new records and feel free to remove it from old ones.

No — its lookup happens only after an evaluation has already failed, and RFC 7208 excludes it from the lookup-triggering terms. It costs maintenance, not budget.

Related terms

What is SPF? Sender Policy Framework explained