SPF (Sender Policy Framework) is a DNS-based email authentication standard that specifies which mail servers are authorised to send email on behalf of your domain. It is the first and most fundamental layer of email authentication — without it, anyone on the internet could send email claiming to be from your domain, and receiving mail servers would have no way to verify the claim.
How SPF Works
- You publish a TXT record in your domain's DNS that lists the mail servers (or services) authorised to send email from your domain.
- When someone receives an email claiming to be from
hello@yourcompany.com, their mail server looks up the SPF record foryourcompany.com. - The mail server checks whether the IP address that actually sent the email is listed in the SPF record.
- If the IP is listed — SPF PASS. If not — SPF FAIL or SOFTFAIL.
- The mail server uses the SPF result (along with DKIM, DMARC, and other signals) to decide whether to accept, filter, or reject the message.
SPF Record Structure
An SPF record is a TXT record published at your domain. Here is how each component works:
v=spf1 include:migosmtp.com include:_spf.google.com ip4:203.0.113.0/24 ~all │ │ │ │ │ │ │ │ │ └─ ~all = softfail for all others │ │ │ └─ Authorise specific IP range │ │ └─ Authorise Google Workspace as a sender │ └─ Authorise MigoSMTP as a sender (includes MigoSMTP's IP ranges) └─ SPF version 1 — always required
SPF Record Components Explained
| Component | Syntax | Meaning |
|---|---|---|
| Version tag | v=spf1 | Required first element — identifies this as an SPF record |
| include | include:migosmtp.com | Authorises all IPs listed in MigoSMTP's own SPF record — the recommended way to add a service provider |
| ip4 | ip4:203.0.113.42 | Directly authorises a specific IPv4 address or range (CIDR notation: ip4:203.0.113.0/24) |
| ip6 | ip6:2001:db8::/32 | Directly authorises an IPv6 address or range |
| a | a:mail.yourcompany.com | Authorises the IP address that the specified hostname resolves to |
| mx | mx | Authorises your domain's MX record IPs (the servers that receive your email) to also send |
| All qualifier — -all | -all | Hard fail — any IP not listed in this record is not authorised; receiving servers should reject the email |
| All qualifier — ~all | ~all | Soft fail — any unlisted IP is probably not authorised; receiving servers should accept but mark as suspicious |
| All qualifier — ?all | ?all | Neutral — no policy stated; rarely used |
SPF for MigoSMTP — The Exact Record
The SPF record required for sending through MigoSMTP on the subdomain mail.yourcompany.com:
| DNS Field | Value |
|---|---|
| Type | TXT |
| Host / Name | mail.yourcompany.com |
| Value | v=spf1 include:migosmtp.com ~all |
If you also send from this domain via other services (e.g. Google Workspace for team email, Mailchimp for newsletters), add their includes as well:
v=spf1 include:migosmtp.com include:_spf.google.com include:servers.mcsv.net ~all
The SPF 10-Lookup Limit
SPF has a hard limit of 10 DNS lookups per evaluation. Each include:, a:, and mx: mechanism causes one or more additional DNS lookups. Exceeding 10 lookups causes SPF to return a PermError — which many ISPs treat as an SPF failure.
Count your includes carefully. If you are near the limit:
- Use
ip4:instead ofinclude:where you know the specific IP ranges. - Use an SPF flattening service (dmarcian, Postmark's SPF record flattener) to pre-resolve includes into explicit IP ranges.
- Remove
include:entries for services you no longer use.
Common SPF Failure Reasons
| Result | Reason | Fix |
|---|---|---|
| Fail | Sending IP not included in SPF record | Add include:migosmtp.com to your SPF record |
| PermError | SPF record has more than 10 DNS lookups | Reduce includes; use IP addresses directly; use SPF flattening |
| None | No SPF record exists for the domain | Publish an SPF TXT record at your sending domain |
| Multiple records | More than one SPF TXT record exists for the same domain | Merge all SPF includes into a single TXT record — you can only have one SPF record per hostname |