Email Security

SPF Alignment

SPF (Sender Policy Framework) is a foundational email authentication protocol. Understanding how SPF records work and how alignment affects DMARC is essential for protecting your domain and improving email deliverability.

What is SPF?

SPF is a DNS-based email authentication method that specifies which mail servers are authorized to send email for your domain. When you publish an SPF record, receiving servers can check whether incoming email claiming to be from your domain actually comes from an authorized source.

An SPF record lists IP addresses and domains that are permitted to send email on your behalf. Servers not in the list fail SPF authentication.

SPF Record Syntax

SPF records are TXT records published in your DNS. A basic SPF record looks like:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This record authorizes Google Workspace and SendGrid to send email for the domain. The -all at the end means servers not listed should fail SPF.

Understanding SPF Alignment

SPF alignment is a DMARC requirement that the domain in the Return-Path (envelope sender) must match the domain in the visible From header. There are two alignment modes:

  • Strict alignment: Exact domain match required (example.com = example.com)
  • Relaxed alignment: Organizational domain match allowed (mail.example.com = example.com)

Most DMARC implementations use relaxed alignment by default. However, many third-party sending services use their own Return-Path domains, which causes SPF alignment to fail even when SPF itself passes.

This is why DKIM alignment often becomes critical — if SPF alignment fails but DKIM alignment passes, DMARC can still pass overall.

Common SPF Mistakes

  • Too many DNS lookups: SPF has a 10 DNS lookup limit. Exceeding this causes SPF to fail completely.
  • Missing sending sources: Forgetting to include CRMs, marketing tools, or transactional email services.
  • Wrong mechanism order: SPF is evaluated left to right. Placing -all too early blocks legitimate sources.
  • Using +all: This allows anyone to send as your domain. Never use +all.
  • Multiple SPF records: Only one SPF record per domain is allowed. Multiple records cause failures.

How to Fix SPF Issues

  • Audit your sending sources: List every service that sends email as your domain.
  • Use include statements: Add includes for each authorized service's SPF record.
  • Flatten if needed: If you exceed 10 lookups, consider SPF flattening (with caution).
  • Use ~all during testing: Soft fail (~all) while testing, then switch to hard fail (-all).
  • Monitor with DMARC: DMARC reports show SPF failures so you can identify missing sources.

SPF Mechanisms Reference

  • ip4: — Authorize a specific IPv4 address or range
  • ip6: — Authorize a specific IPv6 address or range
  • include: — Include another domain's SPF record (counts as lookup)
  • a: — Authorize the domain's A record IPs (counts as lookup)
  • mx: — Authorize the domain's MX record IPs (counts as lookup)
  • all — Match everything not matched by other mechanisms

Qualifiers

  • + — Pass (default, rarely written explicitly)
  • - — Hard fail (recommended for production)
  • ~ — Soft fail (useful during testing)
  • ? — Neutral (not recommended)

Always end your SPF record with -all or ~all to specify how to handle unauthorized senders.

Related Resources

DKIM Setup

Learn how DKIM signing works and how to configure it for your sending services.

DMARC Monitoring

Ongoing monitoring to track SPF and DKIM authentication across all sending sources.

Email Authentication Overview

Complete guide to DMARC, SPF, and DKIM working together.

Need help fixing SPF alignment issues?

CCMS provides expert support for email authentication configuration, including SPF record optimization and DMARC compliance.

Get Help