Back to Course
Լight modeDark mode

How does SPF work?

Creating an SPF Record

You create an SPF record syntax in your DNS server that specifies which IP addresses are permitted to send emails from your domain. This means that if someone were trying to send spoofed emails from your domain, their messages would fail because the IP address of their mail server would not be listed as one of the approved servers.

For example, if you want only Gmail accounts to be able to send mail from your domain name, but not Outlook accounts, then you would add the following line to your SPF record:

v=spf1 a mx ~all

This tells servers that any messages sent from any host whose IP address ends with should be considered valid, whereas all other messages should be discarded. 


DNS Lookup

When an email sender attempts to send a message, the recipient server performs a DNS lookup on the sending domain to see if there is an SPF record—this is called “authentication.”There is a limit of 10 lookups allowed per query, exceeding which leads to SPF permerror. 

If there is no SPF record, then authentication fails and the message is not delivered. If there is an SPF record, then the SPF server checks for IP addresses in the TXT record at the hostname specified in the SPF record.

If there are no IP addresses specified, then it will fail authentication. Otherwise, it will perform an A query for each IP address specified in the order of appearance in the TXT record.

The IP address that returns a result code of NXDOMAIN or NOERROR will be considered authorized by the SPF server and its hostname will be added to a list of authorized sending hosts for that domain.


Authentication Outcome

The mail server either delivers the message to the recipient or flags it for rejection based on the rules specified in the SPF record.

Authentication outcomes can take three forms: Pass, Neutral, or Fail.

Pass means that the mail server accepts the message as legitimate and allows it to be delivered. Neutral means that there is either no record at all or an invalid one for that domain in DNS, so there is no way of knowing whether or not this is a legitimate message from that domain. Fail means that something about this message was not authentic enough for it to be delivered.

For example, a mail server with IP address ‘’ sends an email from ‘’. The inbound server will consult the domain name service (DNS) to determine if this IP address is authorized to send emails on behalf of the ‘’ domain. If so, the message will be delivered; otherwise, it will be discarded or marked as spam i.e sorted according to the mechanism specified in the SPF record.


Course content
Email Authentication Fundamentals