Set up DMARC and see who's sending email using your brand's domain.

SPF (Sender Policy Framework), explained

SPF (Sender Policy Framework) is an email authentication standard that helps detect forged sender addresses, protecting both senders and recipients from spam, spoofing, and phishing attempts.

Spammers and hackers might try to impersonate your domain and send email that looks like it’s coming from you, which could have a negative impact on your email security and overall domain reputation: when people receive fraudulent messages, they get annoyed, put them in the spam folder, et voilà—through no fault of your own, you’re now on a list of bad senders.

A tweet from an email deliverability expert that alerts about the importance of setting up DKIM and SPF to prevent spam.
This was true in 2017, it’s still very much true today

With SPF, you get to publish a list of mail servers and IP addresses you previously authorized to send messages using your domain. Whenever you send an email, the recipient’s mailserver can use the SPF information to double-check that the email originated from an authorized server. It’s a simple solution to send a trust signal to email providers, which in turn might help improve email deliverability.

Random fact: back in the ~2000, the acronym SPF stood for Sender Permitted From; it was changed to Sender Policy Framework in 2004. The same acronym can also stand for Sun Protection Factor, but that’s a whole other story ☀️

SPF and the Return-Path address #

Say you own the domain and want to send emails to your customers. Every message you send will technically have two addresses:

  • Your “header from,” which is the address your recipients will see in the “From” field of an email they receive from you. For example, that could be

  • Your “envelope from,” also known as your Return-Path, which is the address that bounces and other email feedback are sent to. If you were using Postmark (hi 👋) to send your email, you could customize this envelope-from domain to match your From domain (note: our recipients don't generally see the “envelope from,” unless they go and look inside the original message header). 

The distinction between the two crucial because SPF is a way to detect forged envelope domains. Mailservers use the envelope/Return-Path domain to process bounces and other feedback, so the domain itself develops a strong reputation—which is why spoofers want to use it to give their mail legitimacy. SPF makes sure only authorized IPs can send from that domain. 

What is an SPF record? #

An SPF record is a TXT record you add to your Domain Name System (DNS) that lists the IP addresses and third-party email senders you authorized to send email on your behalf.

Depending on your hosting provider, adding the SPF record might be as simple as navigating to your DNS settings and adding a string of text:

Setting up a TXT SPF record in Cloudflare DNS

How to create an SPF record #

Back to our initial example: you own and are using Postmark to send transactional emails and marketing automation software like ActiveCampaign to send your promotional messages. 

To publish your SPF record, you’d go to your hosting provider’s page and update the DNS setting over there with a string that could look somewhat like this example: 

v=spf1 ip4: ~all

The string follows this SPF syntax:

  • v=spf1 indicates that this is an SPF record
  • ipX: lists the IP address, addresses, or range that can send email on your behalf
  • include: lists the third-party email senders (by domain) that are authorized to send email on your behalf (in this case, Postmark with and ActiveCampaign with
  • ~all specifies that all incoming messages must match this rule

To test if it your implementation worked out, you’d take a look at your message headers (for example, in Gmail you’d click on ‘show original’) and see if your SPF check is a pass or fail:

An email header showing SPF authentication pass
SPF success!

How does SPF authentication work? #

The simplified version: you, the domain owner, list the IPs and sources authorized to send your mail in your SPF record. When a message is sent using your domain in the Return-Path address, the receiver can look up the authorized sending sources for that domain to ensure the sending IP is listed there.

The complete version:

A flowchart visualizing the checks required for an SPF pass

There are quite a few steps to the process, but they are definitely too much for this page 😉 If you are curious and ready to go down an SPF rabbit hole, we wrote a whole guide to explain how SPF records work.

A frequently asked question (because authentication acronyms can be a lot)

What’s the difference between SPF, DKIM, and DMARC? #

SPF, DKIM, and DMARC are three email authentication systems that protect recipients from spammers, scammers, and spoofers pretending to be someone they are not and sending fraudulent mail.

This post was originally published Oct 19, 2022

Still have questions?

  • Abdullah Al-hennawy Abdullah
  • Anita Pericic Anita

Ask us anything! We’re eager to help you with any problem or question you have…

Contact us