What is the Sender Policy Framework (SPF) in Email?


The Sender Policy Framework (SPF) is a framework that determines if the sender of a email transaction is valid.

Usage / Goal

It's part of the email authentication framework with DKIM where the goal is to:

How it works?

When a client tries to transmit a mail message to a server, it identifies itself with:

To determine if the sender is authorized to send an email, the smtp server:

  • will lookup a TXT record known as the SPF record that starts with v=spf1
  • read it and determine if the host is authorized to send email for the domain of the sender.

Example of Spf records

v=spf1 is a prefix that you will find in all records that permits to select the record.

  • -all: The domain sends no mail at all.
"v=spf1 -all"

  • Allow the host in the domain's MXes record to send mail for the domain, prohibit all others.
"v=spf1 mx -all"

  • +all Allow all hosts - The domain owner thinks that SPF is useless and/or doesn't care.
"v=spf1 +all"

Example of SPF dns record in the DNS zone provided by a domain registrar.

Spf Dns Zone

What is a SPF record?

The SPF dns record describes the set of hosts that are designated as outbound mailers for the domain. It determines which server(s) may send an email for a domain.

The SPF record value defines:

  • the mechanism of validation (where a validator should get the IP of the server back)
  • and a qualifier attached (what actions to take if the validation fails)

If you are forwarding email, the sender (ie gmail for instance) does not allow your server to send email on its behalf, you need to use the Sender Rewriting Scheme (SRS)


An SPF record 1) is composed of:

v=spf1 [[qualifier]mechanism...] 

Validation Process

SPF looks up the DNS record for an e-mail's from address's host header.

Evaluation of an SPF record can return any of these results

Result Explanation Intended action
Pass The SPF record designates the host to be allowed to send accept
Fail The SPF record has designated the host as NOT being allowed to send reject
SoftFail The SPF record has designated the host as NOT being allowed to send but is in transition accept but mark
Neutral The SPF record specifies explicitly that nothing can be said about validity accept
None no SPF record at all or no value accept
PermError syntax or evaluation error (eg. badly formatted SPF record) unspecified
TempError dns processing error (dns server not reachable) accept or reject

Mechanism of validation

Mechanisms can be used to describe the set of hosts which are designated outbound mailers for the domain.


  • all represents all mechanisms (generally at the end of the SPF record)
# no mail is send by the domain
v=spf1 -all
# Only the mx mechanism
v=spf1 mx -all
# All mechanism are allowed (ie the admin don't care, generally not found)
v=spf1 +all


#Allow any IP address between and
# If no prefix-length is given, /32 is assumed 
# example
v=spf1 ip4: ~all

# any IPv6 address between 1080::8:800:0000:0000 and 1080::8:800:FFFF:FFFF.
# example
v=spf1 ip6:2001:4860:4000::/36 ~all


A: the whole domain

a: the A records for domain are tested (AAAA for ipv6). If the client IP is found among them, this mechanism matches

# the current dns domain is used (all servers defined in A records may send email)

A: List of mailers

# list all the outbound mailers in a special A record under mailers.example.com

Create in the DNS zone multiple A record with the same name but differents IP

mailers.example.com. IN A
mailers.example.com. IN A
mailers.example.com. IN A


# the mx record plus another emails server
mx mx:deferrals.domain.com


include includes other records from other domains. You can include:

  • other host
  • but also other SPF records (generally stored under the zone spf.domain.com)

Example: include the host example.com

# if example.com has no SPF record, the result is PermError.


  • ovh hosting with the domain mx.ovh.com:
  • mailchimp
  • and google
v=spf1 include:mx.ovh.com include:servers.mcsv.net include:_spf.google.com ~all


You have also:

Mechanism Qualifier

Mechanisms can be prefixed with one of four qualifiers

  • + - Pass (default)
  • - - Fail
  • ~ - SoftFail
  • ? - Neutral


"v=spf1 -all"
"v=spf1 a -all"
"v=spf1 a mx -all"
"v=spf1 +a +mx -all"


Domains may also define modifiers. Each modifier can appear only once.

redirect | exp


SPF alignment is a check that compares:

Alignment examples with their SPF check results.

Sender Author (From:) Strict alignment Relaxed alignment
[email protected] [email protected] Pass Pass
[email protected] [email protected] Fail Pass
[email protected] [email protected] Fail Fail

The type of alignment check can be defined in your DMARC record via the aspf attribute with:

  • a s for strict
  • a r for relaxed


Online Checker

Library / Command line

SpfQuery / LibSpf

# fedora
yum install libspf2
yum install libspf2-progs
# or ubuntu
sudo apt install spfquery
  • Query: Don't pass
spfquery -ip= [email protected] -helo=spammer.tld
  • Query: Pass
spfquery -ip= [email protected] -helo=beau.bytle.net


jSpf is a Java library In 2023/10/16, there is a bug

Example: if you download the assembly, you can execute with the following command

java -cp ".\*;.\lib\*" org.apache.james.jspf.impl.SPFQuery --ip --sender [email protected] --helo beau.bytle.net

More … OpenSpf

See OpenSpf


With DNS - nslookup command line, you can query TXT record. You still need to search for the SPF record in the list.

nslookup -type=TXT bytle.net
Server:  amplifi.lan

Non-authoritative answer:
bytle.net       text =

        "v=spf1 a include:vps748761.ovh.net -all"


Discover More
Map Of Internet 1973
DNS - Record

A DNS record is a row in a DNS database. Example of a A record. where: api is a relative name IN is the INTERNET class (An other value is ANY) A is the A record is the Ip address...
Email - Mille and one way to send an email (professional and user)

This article shows you Mille and one way to send an email (ie known as transport in SMTP. submission port Before continuing, you need to know the basics of email and how it works with SMTP. If you...
How does the email system work? SMTP, POP, IMAP explained

This page gives you the foundations of the email system. At the end, you should be able to understand why when you configure your email client, you need to set up: The SMTP configuration And the...
How to configure your domain and your server to send and receive email

Configuring your domain to manage email is not an easy task, this article groups them on one place
Postsrsd Spf Pass
How to install the Sender Rewriting Scheme (SRS) on PostFix?

This page is the installation of postsrsd which implements Sender Rewriting Scheme (SRS) for Postfix. It's mandatory if you forward emails via the alias functionality....
What is DMARC (Domain-based Message Authentication)?

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a text DNS Record that indicates to the receiving server what actions should be taken if the emails do not pass the email authentication...
What is Email Authentication?

By default, the SMTP protocol does not have any authentication mechanism when the email is received. There may be an authentication when you try to send but not when you receive. To prevent spoofing...
Gmail Show Original Email
What is a Email Message ? known as Internet Message or RFC822

An email is a document that is composed of the following structure * one or more headers * followed by a body that may be composed of multi-parts: * Text part * HTML part * Attachment and...
What is an SMTP reception?

SMTP has two sides, sending and receiving, this article is all about how to receive

Share this page:
Follow us:
Task Runner