Portal active

Search Knowledge Base Articles

Find answers, guides, and documentation

Knowledge Base What Is SPF?

What Is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication standard that specifies which mail servers are authorised to send email on behalf of your domain. It is the first and most fundamental layer of email authentication — without it, anyone on the internet could send email claiming to be from your domain, and receiving mail servers would have no way to verify the claim.

How SPF Works

  1. You publish a TXT record in your domain's DNS that lists the mail servers (or services) authorised to send email from your domain.
  2. When someone receives an email claiming to be from hello@yourcompany.com, their mail server looks up the SPF record for yourcompany.com.
  3. The mail server checks whether the IP address that actually sent the email is listed in the SPF record.
  4. If the IP is listed — SPF PASS. If not — SPF FAIL or SOFTFAIL.
  5. The mail server uses the SPF result (along with DKIM, DMARC, and other signals) to decide whether to accept, filter, or reject the message.

SPF Record Structure

An SPF record is a TXT record published at your domain. Here is how each component works:

v=spf1 include:migosmtp.com include:_spf.google.com ip4:203.0.113.0/24 ~all
  │       │                    │                    │                   │
  │       │                    │                    │                   └─ ~all = softfail for all others
  │       │                    │                    └─ Authorise specific IP range
  │       │                    └─ Authorise Google Workspace as a sender
  │       └─ Authorise MigoSMTP as a sender (includes MigoSMTP's IP ranges)
  └─ SPF version 1 — always required

SPF Record Components Explained

Component Syntax Meaning
Version tag v=spf1 Required first element — identifies this as an SPF record
include include:migosmtp.com Authorises all IPs listed in MigoSMTP's own SPF record — the recommended way to add a service provider
ip4 ip4:203.0.113.42 Directly authorises a specific IPv4 address or range (CIDR notation: ip4:203.0.113.0/24)
ip6 ip6:2001:db8::/32 Directly authorises an IPv6 address or range
a a:mail.yourcompany.com Authorises the IP address that the specified hostname resolves to
mx mx Authorises your domain's MX record IPs (the servers that receive your email) to also send
All qualifier — -all -all Hard fail — any IP not listed in this record is not authorised; receiving servers should reject the email
All qualifier — ~all ~all Soft fail — any unlisted IP is probably not authorised; receiving servers should accept but mark as suspicious
All qualifier — ?all ?all Neutral — no policy stated; rarely used

SPF for MigoSMTP — The Exact Record

The SPF record required for sending through MigoSMTP on the subdomain mail.yourcompany.com:

DNS Field Value
Type TXT
Host / Name mail.yourcompany.com
Value v=spf1 include:migosmtp.com ~all

If you also send from this domain via other services (e.g. Google Workspace for team email, Mailchimp for newsletters), add their includes as well:

v=spf1 include:migosmtp.com include:_spf.google.com include:servers.mcsv.net ~all

The SPF 10-Lookup Limit

SPF has a hard limit of 10 DNS lookups per evaluation. Each include:, a:, and mx: mechanism causes one or more additional DNS lookups. Exceeding 10 lookups causes SPF to return a PermError — which many ISPs treat as an SPF failure.

Count your includes carefully. If you are near the limit:

  • Use ip4: instead of include: where you know the specific IP ranges.
  • Use an SPF flattening service (dmarcian, Postmark's SPF record flattener) to pre-resolve includes into explicit IP ranges.
  • Remove include: entries for services you no longer use.

Common SPF Failure Reasons

Result Reason Fix
Fail Sending IP not included in SPF record Add include:migosmtp.com to your SPF record
PermError SPF record has more than 10 DNS lookups Reduce includes; use IP addresses directly; use SPF flattening
None No SPF record exists for the domain Publish an SPF TXT record at your sending domain
Multiple records More than one SPF TXT record exists for the same domain Merge all SPF includes into a single TXT record — you can only have one SPF record per hostname

Next Steps

Did you find this article useful?