# What is SPF? Sender Policy Framework Explained

> Explore SPF, the email authentication tool that prevents domain spoofing.

Sender Policy Framework (SPF) is an [email authentication](/resources-post/what-are-dmarc-dkim-and-spf) protocol designed to prevent unauthorized use of a domain in email sending, helping to combat [spoofing](https://palisade.email/learning/what-is-spoofing) and [phishing](https://palisade.email/learning/what-is-phishing). By specifying which servers are allowed to send emails on behalf of your domain, SPF enables receiving mail servers to verify the legitimacy of incoming messages. It’s a foundational component of email security, often used alongside [DKIM (DomainKeys Identified Mail)](https://palisade.email/learning/what-is-dkim) and [DMARC (Domain-based Message Authentication, Reporting, and Conformance)](https://palisade.email/learning/what-is-dmarc) to create a robust defense against email fraud.


## How Does SPF Work?

SPF operates through a straightforward process that hinges on [DNS (Domain Name System)](https://palisade.email/learning/what-is-a-dns) records:

![Three-step flow showing how SPF works: publish a DNS record, the receiver checks the sender's IP against it, then the email passes or fails.](/images/figures/what-is-spf-fig1.webp)
*SPF verification hinges on a TXT record published in your DNS.*

- Publish an [SPF Record](/tools/spf): The domain owner creates a TXT record in their DNS, listing the IP addresses or servers authorized to send emails for their domain. For example, an SPF record might look like: v=spf1 ip4:192.0.2.0 include:_spf.example.com -all. This tells receivers which servers are legit and what to do with unauthorized ones.
- Verification by Receivers: When an email arrives, the receiving server checks the sender’s domain against its SPF record. It compares the sending server’s IP address to the authorized list in the DNS.
- Pass or Fail: If the IP matches an authorized source, the email passes SPF. If not, it fails, and the receiver applies the domain’s specified action (e.g., mark as [spam](https://palisade.email/learning/understanding-spam-emails) or reject), often guided by DMARC policies.

The SPF record uses qualifiers like + (pass), - (fail), ~ (soft fail), or ? (neutral) to define how strictly to enforce the rules, with -all indicating a strict policy to block unauthorized emails.

## Why SPF Matters

SPF brings several critical benefits to domain owners and email ecosystems:

- Prevents Spoofing: By restricting who can send emails from your domain, SPF stops attackers from forging your domain in phishing or spam campaigns.
- Enhances Email Security: It provides a clear mechanism to verify legitimate senders, reducing the risk of malicious emails reaching inboxes.
- Improves Deliverability: Properly configured SPF signals to email providers that your domain is trustworthy, increasing the chances your emails land in the inbox rather than the spam folder.
- Supports Broader Authentication: SPF is a key pillar of DMARC, which combines it with DKIM to enforce policies and provide reporting, amplifying its impact.

## Things to Keep in Mind

While SPF is a powerful tool, it requires careful setup and maintenance:

![Checklist of four SPF maintenance points: cover all senders, respect the 10-lookup limit, pair with DKIM and DMARC, and keep the record updated.](/images/figures/what-is-spf-fig2.webp)
*A missed sender or stale record can cause valid emails to fail authentication.*

- Comprehensive Records: Ensure all legitimate email sources—like your mail servers, marketing platforms, or third-party vendors—are included in the SPF record. Missing one can cause valid emails to fail authentication.
- Record Limits: DNS has a limit on SPF record length (10 lookups max). If you use multiple services, use include mechanisms wisely or flatten the record to avoid exceeding this limit.
- Not Foolproof Alone: SPF only checks the sending server’s IP, not the email’s content or integrity. Pair it with DKIM (for signatures) and DMARC (for policy enforcement) for full protection.
- Regular Updates: If you change email providers or add new services, update your SPF record promptly to avoid delivery issues.

## Wrapping Up

SPF is a cornerstone of email security, empowering domain owners to control who can send emails on their behalf. By publishing a clear policy in DNS, it helps block spoofed emails, protects your brand, and boosts trust with recipients. When combined with DKIM and DMARC, SPF forms a vital part of a comprehensive email authentication strategy, making it essential for anyone serious about secure communication.

‍
