The Skysnag Blog

SPF Record Syntax

October 1, 2022  |  3 min read

An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. SPF Record syntax is defined in detail in RFC 7208.

The following is a summary of the syntax:

The SPF record is a text record placed in the TXT DNS Record for a domain. An SPF record is made up of several parts. The first part should always be the version number, and after that, you can define valid senders with one or more mechanisms. The mechanisms and modifiers are separated by space. Each mechanism starts with a single letter, and each modifier starts with a single letter followed by an equals (=) sign.

Mechanisms

Mechanisms either allow or deny the use of an IP address for sending mail from a particular domain. The following are the available mechanisms:

MechanismsDescriptionExample
AThe A qualifier matches an IP address and is used to allow/deny mail from a specific IP address.v=spf1 a -all
IP4The IP4 qualifier matches an IPv4 address and is used to allow/deny mail from a specific IPv4 address.v=spf1 ip4:192.168.0.1 -all
IP6The IP6 qualifier matches an IPv6 address and is used to allow/deny mail from a specific IPv6 address.v=spf1 ip6:fe80:: -all
PTR (Not Recommended)The PTR qualifier matches a hostname, which is looked up via a reverse DNS lookup. The PTR qualifier is used to allow/deny mail from a specific hostname.v=spf1 ptr:example.com -all
MXThe MX qualifier matches a hostname, which is looked up via a DNS MX Record lookup. The MX qualifier is used to allow/deny mail from a domain’s mail server.Example:
v=spf1 mx -all
IncludeThe include modifier is used to include another SPF Record syntax in the SPF Record. The included SPF Record is looked up via DNS and evaluated as if it were part of the SPF Record.v=spf1 include:example.com -all
existsThe exists modifier is used to perform a DNS lookup, and matches if a DNS record is returned. The exists modifier is used to allow/deny mail based on the existence of a DNS record.Example:
v=spf1 exists:example.com -all

Modifiers

Modifiers are separated by spaces, and each modifier starts with a single letter followed by an equals sign. Modifiers are used to modify the action taken when a qualifier matches. The following are the available modifiers:

ModifiersDescriptionExample
redirectThe redirect modifier is used to redirect a query to a different SPF Record. The redirect modifier is used when a domain wishes to delegate the SPF Record syntax to another domain. The redirect modifier is only supported by newer versions of SPF. v=spf1 [redirect=example.com](http://redirect%3Dexample.com/)
expThe exp modifier is used to explain an error condition. The exp modifier is used to provide a more detailed error message if a query fails. The exp modifier is only supported by newer versions of SPF.v=spf1 -all exp=badhost

Action

Action is the final element of an SPF Record. Actions are separated by spaces, and each action starts with a single letter. The available actions are:

ActionMeaningExample
+allAllow all IPs to send email (not recommended)v=spf1 +all
-allDeny all mail, this is used if domain doesn’t send mail at allv=spf1 -all
~allAllow domain’s specified MXs to send mail for the domain, denies all othersv=spf1 mx ~all
?allThis action is used to neutralize the result of the SPF Record.v=spf1 mx ?all

More in-depth information about SPF failure results here

Maximum Number of Lookups

In order to prevent DNS lookups from becoming infinite loops, SPF will perform a maximum of 10 DNS lookups. If an SPF Record contains more than 10 DNS lookups, then the SPF Record is considered invalid.

A DNS lookup is done when you query for one of these mechanisms:

  • a
  • mx
  • ptr
  • include
  • exists

Please note that the ‘nested lookups’ will also count. If an ‘included’ domain does an A and MX lookup, these will both count as lookups for your domain as well.

Conclusion

Skysnag’s automated SPF software has been developed to help verify the identity of an email sender and protect your domain from phishing attacks while taking care of your email deliverability. Get started with Skysnag by signing up using this link for a free trial today and maintain a healthy domain.

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.

Check your domain’s DMARC security compliance