---
title: "What is SPF?"
description: "SPF protects your domain against email abuse. Learn how to set up SPF, what the limits are, and how Lettermint cleverly handles SPF via Return-Path."
url: "https://lettermint.co/knowledge-base/definitions/what-is-spf"
published: "2025-09-11"
last_updated: "2025-10-21"
---

# What is SPF?

> SPF protects your domain against email abuse. Learn how to set up SPF, what the limits are, and how Lettermint cleverly handles SPF via Return-Path.

In addition to the DMARC record we explain in our '[What is DMARC?](https://lettermint.co/knowledge-base/definitions/what-is-dmarc)'
article, an SPF record is also well-known in the world of email. You
can think of the SPF record as complementing DMARC. It shows which servers
are allowed to send emails from your domain. At Lettermint, we use SPF in a
slightly different way to send [transactional emails](https://lettermint.co/features/transactional-emails).
In this article, we'll explain what SPF is and how we use it at Lettermint.

## What is SPF

SPF stands for **Sender Policy Framework**. It's an
email verification method developed in 2006 to prevent email spoofing.
With an SPF record, you determine which mail servers are allowed to send
emails on behalf of your domain.

Think of it as a list of approved senders. When someone sends an email
from your domain, the receiving mail server checks this list.
Is the sending server on the list? Then the email is allowed. If
not, the mail server can reject the email or mark it as spam.

SPF works together with DMARC to protect your domain. While DMARC sets
the policy, SPF provides the technical verification of sending servers.
This combination makes it difficult for bad actors to impersonate
your company.

### How SPF works

SPF works through the DNS system. When a mail server receives an email,
it performs the following steps:

1. The server looks at the sender's domain (the part after @ in the
email address)
2. It then queries the SPF record from that domain's DNS
3. The server checks if the sending server's IP address is in the
SPF record
4. Based on this check, the email is accepted, rejected, or marked
as spam

This process happens automatically within seconds. That's why it's
so important to set up your SPF correctly. One mistake and your important
emails might not arrive - you definitely don't want that.

## How to set up SPF

An SPF record is a TXT record in your DNS. **It always starts with v=spf1**
and ends with an action that indicates what should happen to servers that
aren't on the list.

A simple SPF record looks like this:

```dns-zone
v=spf1 include:_spf.google.com -all
```

This record indicates that only Google is allowed to send emails on behalf of your
domain. The `-all` at the end means that other servers are
rejected (hard fail).

### SPF mechanisms and modifiers

SPF uses two types of instructions: **mechanisms** and **modifiers**.

**Mechanisms** are the rules that determine which servers may send
emails. They are executed from left to right and stop as soon as
a match is found. These are the main mechanisms:

| Mechanism | Description                        | Example                    |
| --------- | ---------------------------------- | -------------------------- |
| include   | Add SPF record from another domain | include:_spf.lettermint.co |
| ip4       | Allow specific IPv4 address        | ip4:192.168.1.1            |
| ip6       | Allow specific IPv6 address        | ip6:2001:db8::1            |
| a         | Allow domain's A record            | a:mail.example.com         |
| mx        | Allow domain's MX servers          | mx:example.com             |
| all       | Match all addresses                | ~all , -all , +all         |

**Modifiers** are optional instructions that provide extra information but
don't directly determine if a server may send. The most important modifier
is `all`, which appears at the end of your SPF record:

- `-all` (hard fail): Reject emails from unauthorized servers
- `~all` (soft fail): Mark as suspicious but still deliver
- `+all` (pass): Accept all emails (not recommended)
- `?all` (neutral): No judgment

Other modifiers are `redirect` (refer to another domain's SPF record)
and `exp` (provide explanation for a fail), but these are rarely used.

### SPF limits

SPF has several technical limitations you need to consider:

- **Maximum 1 SPF record per domain**<br />


You can only have one SPF record in your DNS. Multiple SPF records make
your configuration invalid. All services must therefore be included in this one record.
- **Maximum 10 DNS lookups per SPF check**<br />


A DNS lookup is a query to the DNS system to retrieve information.
Each time you use `include`, `a`, `mx`, `exists`, or `redirect`,
it counts as a lookup. The receiving mail server may perform a maximum of 10
of these queries to check your SPF record.
- **SPF record may contain maximum 255 characters per line**<br />


For longer records, you need to split them into multiple lines.
- **With multiple lines: maximum 512 characters total**<br />


This is the absolute limit for your SPF record's total length.
- **Maximum 2 void lookups allowed**<br />


A void lookup is a DNS query that returns no result. Too many
failed lookups make your SPF record invalid.

These limits are important when you use multiple services. Each
`include` counts as a DNS lookup. With too many lookups, the SPF check fails.

> **Note:** Note: Count your includes carefully! If you exceed the 10 DNS lookups, your
> SPF record may become invalid and emails might not arrive.

### Setting up SPF

Place your SPF record as a TXT record in your domain's DNS. For the domain
`example.com`, place the record directly on `example.com`, not on a
subdomain like with DMARC.

Using multiple email services? Add them all to one SPF record.
You can only have one SPF record per domain.

Example with multiple services:

```dns-zone
v=spf1 include:_spf.google.com include:zoho.eu -all
```

![Cloudflare DNS settings](https://lettermint.co/content/knowledgebase/lettermint-spf-settings-cloudflare.webp)

## SPF at Lettermint

At Lettermint, we do things differently. We use a clever solution
to bypass the known SPF limits: the Return-Path method.
Instead of having you add `include:_spf.lettermint.co` to your
SPF record, we apply a different technique.

### How does Return-Path work?

When Lettermint sends an email on behalf of your domain, we use a
special Return-Path. This is the address where error messages (bounces) are
sent. By using a Return-Path that ends with
`lettermint.co`, the receiving mail server checks Lettermint's SPF record
instead of your domain's.

This means that:

- You don't need to add an `include` for Lettermint to your SPF record
- You stay under the 10 DNS lookups limit
- Your existing SPF configuration remains intact
- Emails are still properly authenticated

> **Note:** Return-Path is an official SPF technique used by major email providers.
> Your emails remain fully authenticated and secure.

### Why this approach?

Many of our customers use multiple email services. By using the Return-Path
method, we prevent you from hitting SPF limits. You can use
Lettermint alongside Google Workspace, Microsoft 365, or other
services without worrying about the maximum number of DNS lookups.

Considering keeping different types of emails separated? Read our article
about [email subdomains](https://lettermint.co/knowledge-base/deliverability/what-is-an-email-subdomain-and-when-should-you-use-one)
to discover when it makes sense to use subdomains for better control over
your sender reputation.

When you add a domain to Lettermint, we ask you to add three
DNS records: DMARC, [DKIM](https://lettermint.co/knowledge-base/definitions/what-is-dkim), and a bounce record. These work together
with our Return-Path configuration to ensure proper
email authentication, without having to modify your SPF record.

## SPF Check

Check below if your domain has a valid SPF. Note: Lettermint
uses Return-Path for authentication, so it won't appear in this check.

<spf-checker>



</spf-checker>

## Conclusion

SPF is an essential part of email security. It works together with
[DMARC](https://lettermint.co/knowledge-base/definitions/what-is-dmarc) to protect your domain from
abuse. At Lettermint, we ensure
your configuration continues to work optimally through our Return-Path
implementation, without hitting technical limits.

A properly configured SPF (including via Return-Path) ensures that:

- Your emails arrive reliably
- Bad actors can't abuse your domain
- Mail servers recognize your emails as legitimate

Always test your SPF after setup with our SPF Checker. This way you know for sure
that everything works correctly. Because ultimately, it's all about one thing:
that your emails arrive safely where they need to be.