Understanding SPF Record Syntax

SPF allows you to declare which servers are authorized to send mail on behalf of your domain. While the idea sounds simple, the syntax of SPF records can sometimes confuse domain administrators. In this episode, we’ll break down the key components of an SPF record, explain how evaluation works, and highlight best practices so you can avoid common pitfalls.

The Role of Qualifiers

Each mechanism in an SPF record can be prefixed with a qualifier, which tells receiving servers what to do if the mechanism matches.

• + Pass: The sender is authorized. (Default if no qualifier is specified.)
• - Fail: Explicitly reject the sender.
• ~ SoftFail: Mark the mail as suspicious, but often still accept it.
• ? Neutral: No opinion — neither pass nor fail.

For example:

v=spf1 ip4:203.0.113.0/24 include:_spf.mailhost.com -all

This record authorizes senders from the IP range 203.0.113.0/24 and from any sender that passes _spf.mailhost.com’s SPF policy. All others are rejected.

Mechanisms: The Building Blocks of SPF

Mechanisms are the “rules” inside your SPF record. They are evaluated from top to bottom, and the process stops as soon as a match is found.

• ip4 / ip6: Authorize specific IP addresses or ranges.
• a: Authorize if the sending server matches the A or AAAA record of the domain. Supports CIDR ranges, e.g., a/24.
• mx: Authorize the servers listed in your domain’s MX records. CIDR ranges also supported.
• include: Reference another domain’s SPF record. The mechanism matches only if that domain’s SPF returns a Pass.
• exists: Match if a macro-expanded domain resolves to an A/AAAA record. Useful for advanced configurations.
• all: Matches everything. Usually placed at the end with a qualifier (-all or ~all).
• ptr: Checks the reverse DNS of the sending IP. This mechanism is deprecated and should be avoided.

Redirect vs. Include: A Common Source of Confusion

Two mechanisms often misunderstood are redirect and include.

• include is additive: it says, “also trust the servers that another domain authorizes.” It only counts as a match if that included domain’s SPF results in Pass.
• redirect is a fallback: if none of the mechanisms in your SPF record match, the evaluation continues using another domain’s SPF record as if it were your own. Only one redirect is allowed, and it’s normally placed at the end of the record.

Think of it this way: include extends your list of valid senders, while redirect hands over policy control entirely to another domain.

Modifiers: Adding Extra Instructions

SPF also supports modifiers, which don’t directly authorize senders but provide additional behavior:

• redirect=<domain>: Passes control to another domain’s SPF record if no prior match is found.
• exp=<domain>: Points to a TXT record that can display a human-readable explanation when mail fails SPF. In practice, very few mail servers show this text.

How SPF Evaluation Works

SPF processing always happens top-down. As soon as a mechanism matches, the corresponding qualifier decides the result. If nothing matches and no redirect is present, the outcome is Neutral.

Because of this, order matters. Most domain owners end their record with -all (hard fail) or ~all (soft fail) to clearly specify what should happen to unauthorized senders.

Best Practices and Common Pitfalls

While writing an SPF record may seem easy, there are some limits and gotchas to be aware of:

• DNS lookup limit: SPF allows a maximum of 10 DNS-based lookups. Exceeding this will cause a PermError.
• Record size: Each TXT string can be up to 255 characters, but you can split long records into multiple strings.
• Void lookups: Too many lookups that return nothing may also trigger errors.
• HELO/EHLO checks: If the MAIL FROM is empty, receivers may apply SPF against the HELO domain instead.
• Deprecation notice: Don’t use ptr. It’s slow, unreliable, and no longer recommended.

To avoid complexity and errors, many organizations use SPF record flattening or optimization tools, which automatically flatten records and ensure they stay within the 10-lookup limit.

Summing Up

SPF is one of the foundational protocols in email authentication. When configured properly, it helps protect your brand against spoofing and improves deliverability for your legitimate mail. The key is understanding how qualifiers, mechanisms, and modifiers work together — and keeping your record efficient and within technical limits.

By following best practices and monitoring your setup regularly, you can make SPF a strong line of defense in your email security strategy.