SPF — Sender Policy Framework
A TXT record that lists which IPs may send mail from your domain. The simplest of the three auth records — and the one most often broken by a forgotten include.
SPF is a TXT record on your sending domain. It tells receivers which IP addresses are authorised to send mail "from" that domain. Receivers do a DNS lookup, find your SPF record, and reject mail whose source IP is not on the list.
The minimal SPF record
dnsacme.dev. IN TXT "v=spf1 include:_spf.voltmail.dev ~all"Three parts: the version (always v=spf1), the includes (_spf.voltmail.dev expands into the actual VoltMail sending IPs), and the all qualifier.
The all qualifier — what to use
- +all — pass everything. Effectively no SPF. Never use.
- ~all (softfail) — receivers may accept but mark suspicious. Safe default while you migrate.
- -all (hardfail) — receivers reject outright. Use only when 100% certain no other system sends as your domain.
- ?all (neutral) — explicitly says "I have no policy." Don't use.
The 10-lookup limit
SPF caps DNS lookups at 10 — exceed that and your record evaluates to permerror, which most receivers treat as a fail. Each include: counts as a lookup. So does mx, a, and exists.
If you send through more than 4-5 vendors you will hit the limit. Solutions: SPF flattening (we publish the IPs directly, not as include:), or migrating senders onto fewer providers. We auto-flatten on Pro+ and Pro Max.
Common mistakes
- Two SPF records on one domain — only one is valid; the other invalidates the lookup.
- Forgetting subdomains — receipts.acme.dev needs its own SPF record (or SPF inheritance via DMARC).
- Including a vendor that no longer sends for you — adds a lookup with no benefit.
- Using ip4: with a /24 — works, but breaks every time the vendor adds capacity.