SPF glossary

What does v=spf1 mean at the start of an SPF record?

Samuel Chenard

By Samuel Chenard · CEO & Co-Founder, Palisade · Reviewed July 15, 2026

v=spf1 is the version identifier that marks a TXT record as an SPF record. It must be the exact first term — receivers ignore any TXT record that doesn't start with it. A domain must have at most one: two or more records starting v=spf1 is a permerror, and SPF breaks entirely.

v=spf1 at a glance
Tagv (version)
Valid valuesspf1 — the only version there is; there is no v=spf2
DefaultRequired — a TXT record that doesn't begin with v=spf1 simply isn't an SPF record.
Where it goesThe exact first term of the record, e.g. v=spf1 include:_spf.google.com -all

How v=spf1 works

SPF lives in an ordinary TXT record published on the domain name itself — at the apex for yourdomain.com, with no special prefix like DMARC's _dmarc. Receivers fetch the domain's TXT records and treat the one starting v=spf1 as its SPF policy. That's why the version tag must be the exact first characters: it's the marker that says “this TXT record is my SPF record.”

One domain, one SPF record. If a receiver finds two or more TXT records starting v=spf1, RFC 7208 says the result is a permerror — SPF fails to evaluate at all. This is one of the most common real-world SPF breakages: someone adds a second record for a new email tool instead of merging the new mechanism into the existing record.

And no, there is no v=spf2. The spf2.0/pra strings in old documentation belong to Sender ID, an abandoned Microsoft experiment. Publish v=spf1 and nothing else.

Correct record vs common mistake

Correct

v=spf1 include:_spf.google.com ip4:192.0.2.10 -all

One record: version tag first, your senders in the middle, a catch-all at the end.

Common mistake

v=spf1 include:_spf.google.com -all
v=spf1 include:sendgrid.net -all

Two SPF records on one domain is a permerror — receivers can't pick one, so SPF breaks entirely. Merge the includes into a single record.

Generate your SPF record

Build a correct SPF record for your domain — add your senders, copy the TXT record. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

Troubleshooting v=spf1

IssueLikely causeFix
Checker says 'no SPF record found' but a TXT record existsThe record doesn't begin with the exact string v=spf1 — leading whitespace, a typo, or text pasted before itMake v=spf1 the very first characters of the TXT value, then re-check
Mail broke right after adding a new email toolThe tool's setup guide had you create a second v=spf1 record next to the existing oneDelete one record and merge: a single v=spf1 line containing both includes, ending in -all
Record edits don't seem to take effectDNS TTL — receivers are still serving the cached old recordWait out the TTL and re-test; lower the TTL ahead of planned SPF changes

See this on your own domain

Enter your domain — the check runs instantly on the next page. Free, no signup.

Why it matters for MSPs

Across 50–200 client domains, duplicate v=spf1 records are one of the most common inherited messes: a previous provider's record sits next to yours, and the domain permerrors while looking “configured” in DNS. Every tool onboarding is another chance for a client to paste a second record instead of merging — and the breakage is silent until mail starts failing.

Trusted by MSPs

Palisade allowed our team to deploy DMARC on our domains in minutes instead of hours and making sure our clients are compliant with cutting edge security recommendations from Microsoft.
Alvin KalliAlvin Kalli CSIO, MSP Corp
Partner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner LogoPartner Logo

Enforce it — don't just monitor it

A broken version line doesn't announce itself — it shows up as SPF quietly contributing nothing. Palisade reads every client domain's DMARC reports, so a record that stopped evaluating surfaces as evidence, and each domain still advances safely toward `p=reject` on data, not guesswork.

Free 15-day trial · No credit card · Your own domain free forever (NFR)

Frequently asked questions

No. RFC 7208 says multiple records starting v=spf1 produce a permerror — SPF stops working entirely. Merge all mechanisms into one record instead.

As a TXT record on the domain name itself — the apex for your main domain, or the specific subdomain that sends mail. There's no special prefix like DMARC's _dmarc.

Not anymore. The dedicated SPF record type (type 99) is obsolete — RFC 7208 says to use a TXT record only. Publishing the old SPF type adds nothing.

No. spf2.0/pra was Sender ID, a separate Microsoft proposal that never took hold. The only live SPF version is spf1.

Related terms

What is SPF? Sender Policy Framework explained