LettermintLettermint
LoginStart for free
Back Back to 'Definitions'
Definitions

What is SPF?

Last updated:

In addition to the DMARC record we explain in our 'What is DMARC?' article, an SPF record is also well-known in the world of email. You can think of the SPF record as complementing DMARC. It shows which servers are allowed to send emails from your domain. At Lettermint, we use SPF in a slightly different way to send transactional emails. In this article, we'll explain what SPF is and how we use it at Lettermint.

What is SPF

SPF stands for Sender Policy Framework. It's an email verification method developed in 2006 to prevent email spoofing. With an SPF record, you determine which mail servers are allowed to send emails on behalf of your domain.

Think of it as a list of approved senders. When someone sends an email from your domain, the receiving mail server checks this list. Is the sending server on the list? Then the email is allowed. If not, the mail server can reject the email or mark it as spam.

SPF works together with DMARC to protect your domain. While DMARC sets the policy, SPF provides the technical verification of sending servers. This combination makes it difficult for bad actors to impersonate your company.

How SPF works

SPF works through the DNS system. When a mail server receives an email, it performs the following steps:

  1. The server looks at the sender's domain (the part after @ in the email address)
  2. It then queries the SPF record from that domain's DNS
  3. The server checks if the sending server's IP address is in the SPF record
  4. Based on this check, the email is accepted, rejected, or marked as spam

This process happens automatically within seconds. That's why it's so important to set up your SPF correctly. One mistake and your important emails might not arrive - you definitely don't want that.

How to set up SPF

An SPF record is a TXT record in your DNS. It always starts with v=spf1 and ends with an action that indicates what should happen to servers that aren't on the list.

A simple SPF record looks like this:

      v=spf1 include:_spf.google.com -all

This record indicates that only Google is allowed to send emails on behalf of your domain. The -all at the end means that other servers are rejected (hard fail).

SPF mechanisms and modifiers

SPF uses two types of instructions: mechanisms and modifiers.

Mechanisms are the rules that determine which servers may send emails. They are executed from left to right and stop as soon as a match is found. These are the main mechanisms:

MechanismDescriptionExample
includeAdd SPF record from another domaininclude:_spf.lettermint.co
ip4Allow specific IPv4 addressip4:192.168.1.1
ip6Allow specific IPv6 addressip6:2001:db8::1
aAllow domain's A recorda:mail.example.com
mxAllow domain's MX serversmx:example.com
allMatch all addresses~all, -all, +all

Modifiers are optional instructions that provide extra information but don't directly determine if a server may send. The most important modifier is all, which appears at the end of your SPF record:

  • -all (hard fail): Reject emails from unauthorized servers
  • ~all (soft fail): Mark as suspicious but still deliver
  • +all (pass): Accept all emails (not recommended)
  • ?all (neutral): No judgment

Other modifiers are redirect (refer to another domain's SPF record) and exp (provide explanation for a fail), but these are rarely used.

SPF limits

SPF has several technical limitations you need to consider:

  • Maximum 1 SPF record per domain
    You can only have one SPF record in your DNS. Multiple SPF records make your configuration invalid. All services must therefore be included in this one record.
  • Maximum 10 DNS lookups per SPF check
    A DNS lookup is a query to the DNS system to retrieve information. Each time you use include, a, mx, exists, or redirect, it counts as a lookup. The receiving mail server may perform a maximum of 10 of these queries to check your SPF record.
  • SPF record may contain maximum 255 characters per line
    For longer records, you need to split them into multiple lines.
  • With multiple lines: maximum 512 characters total
    This is the absolute limit for your SPF record's total length.
  • Maximum 2 void lookups allowed
    A void lookup is a DNS query that returns no result. Too many failed lookups make your SPF record invalid.

These limits are important when you use multiple services. Each include counts as a DNS lookup. With too many lookups, the SPF check fails.

Note: Count your includes carefully! If you exceed the 10 DNS lookups, your SPF record may become invalid and emails might not arrive.

Setting up SPF

Place your SPF record as a TXT record in your domain's DNS. For the domain example.com, place the record directly on example.com, not on a subdomain like with DMARC.

Using multiple email services? Add them all to one SPF record. You can only have one SPF record per domain.

Example with multiple services:

      v=spf1 include:_spf.google.com include:zoho.eu -all

Cloudflare DNS settings

SPF at Lettermint

At Lettermint, we do things differently. We use a clever solution to bypass the known SPF limits: the Return-Path method. Instead of having you add include:_spf.lettermint.co to your SPF record, we apply a different technique.

How does Return-Path work?

When Lettermint sends an email on behalf of your domain, we use a special Return-Path. This is the address where error messages (bounces) are sent. By using a Return-Path that ends with lettermint.co, the receiving mail server checks Lettermint's SPF record instead of your domain's.

This means that:

  • You don't need to add an include for Lettermint to your SPF record
  • You stay under the 10 DNS lookups limit
  • Your existing SPF configuration remains intact
  • Emails are still properly authenticated

Return-Path is an official SPF technique used by major email providers. Your emails remain fully authenticated and secure.

Why this approach?

Many of our customers use multiple email services. By using the Return-Path method, we prevent you from hitting SPF limits. You can use Lettermint alongside Google Workspace, Microsoft 365, or other services without worrying about the maximum number of DNS lookups.

When you add a domain to Lettermint, we ask you to add three DNS records: DMARC, DKIM, and a bounce record. These work together with our Return-Path configuration to ensure proper email authentication, without having to modify your SPF record.

SPF Check

Check below if your domain has a valid SPF. Note: Lettermint uses Return-Path for authentication, so it won't appear in this check.

SPF Checker

Conclusion

SPF is an essential part of email security. It works together with DMARC to protect your domain from abuse. At Lettermint, we ensure your configuration continues to work optimally through our Return-Path implementation, without hitting technical limits.

A properly configured SPF (including via Return-Path) ensures that:

  • Your emails arrive reliably
  • Bad actors can't abuse your domain
  • Mail servers recognize your emails as legitimate

Always test your SPF after setup with our SPF Checker. This way you know for sure that everything works correctly. Because ultimately, it's all about one thing: that your emails arrive safely where they need to be.

Need more help?

Can't find what you're looking for?

If you couldn't find the information you were looking for, please don't hesitate to reach out to us. Our team is here to assist you with any questions you may have.

Contact us
Ask on Discord