SPF Definition | GTM Glossary

SPF (Sender Policy Framework)

Sender Policy Framework (SPF) is an email authentication method that prevents spammers from sending messages on behalf of your domain. It is a simple TXT record in your DNS that specifies exactly which IP addresses and services (like Google Workspace or HubSpot) are allowed to send email for you.

TL;DR

What it is: A “whitelist” of allowed email senders for your domain.
Why it matters: Without it, your emails look like spam and your domain can be spoofed.
The 10-lookup limit: You can only include up to 10 external lookups before SPF breaks.
Alignment: SPF must match the domain in your “Return-Path” address.
Status: Use ~all (softfail) during setup and -all (fail) for maximum security.

What SPF is (simple explanation)

Think of SPF as an authorized guest list for a club. When an email arrives, the receiving server (like Gmail) looks at the “From” domain and asks your DNS: “Who is allowed to send email for you?”

Your DNS provides the SPF record. If the server that sent the email is on that list, the email is “authorized.” If it’s not on the list, the email is treated with suspicion—often being sent to the spam folder or blocked entirely.

What SPF actually does (and what it does NOT do)

SPF does:

Authenticate the Return-Path (the technical “bounce” address).
Provide a list of authorized IP addresses/domains.
Help prevent basic email spoofing.

SPF does NOT:

Authenticate the “From” header (the name the recipient sees). That is the job of DMARC alignment.
Survive email forwarding. If a recipient forwards your email, SPF often fails because the forwarder’s IP isn’t in your record.
Protect against “display name” spoofing (e.g., an attacker using your name with a different email address).

How SPF affects cold email deliverability

For outbound operators, SPF is the first hurdle. Modern spam filters are extremely aggressive. If your SPF record is missing, invalid, or shows a “fail” result, your deliverability will tank immediately.

When sending at scale, your infrastructure needs to be perfectly aligned. If you use multiple tools (Salesforce, Apollo, Instantly) without updating your SPF, you are effectively telling inbox providers that your legitimate tools are actually spammers.

Common SPF mistakes that tank deliverability

Multiple SPF records: You should only have one SPF record per domain. Multiple records cause a permanent error (permerror).
The 10-lookup limit: Every include: statement that requires a DNS lookup counts. If you exceed 10, the record fails. Use a tool to “flatten” your record if you have too many services.
Typoc: Small errors like v=spf1 include: google.com -all (extra space) can invalidate the whole record.
SPF Alignment failure: If you use a custom tracking domain or a third-party sender and don’t set up a custom Return-Path (CNAME), SPF will authenticate the provider’s domain, not yours, leading to a DMARC alignment fail.

How to check your SPF record

MXToolbox / Google Toolbox: Use a public SPF checker to see your current record.
Dig command: Run dig txt yourdomain.com in your terminal. Look for the line starting with v=spf1.
Sent email Headers: Send a test email to yourself and inspect the “Original Message” or “Headers.” Look for Authentication-Results: spf=pass.

SPF result meanings

Result	Meaning	Description
Pass	Authorized	The IP address is in the SPF record. Success.
Fail (-all)	Unauthorized	The IP is NOT in the record and you’ve told servers to reject it.
Softfail (~all)	Suspicious	The IP is NOT in the record but you’ve asked servers to be lenient (usually spam folder).
Neutral (?all)	No Opinion	You have a record but haven’t specified a policy for others.
Permerror	Syntax Error	Your record is broken (e.g., >10 lookups or multiple records).
Temperror	System Error	Temporary DNS issue during the check.

SPF record examples

Simple Google Workspace record: v=spf1 include:_spf.google.com -all

Google Workspace + HubSpot + Outlook: v=spf1 include:_spf.google.com include:fbl.hubspot.com include:spf.protection.outlook.com -all

Record for a domain that NEVER sends email: v=spf1 -all

SPF vs DKIM vs DMARC

Feature	SPF	DKIM	DMARC
Method	IP Whitelist	Digital Signature	Policy & Reporting
Protects	Return-Path	Content Integrity	”From” Domain
Required?	Yes	Yes	Yes (Modern Best Practice)

FAQ

Can I have two SPF records? No. This is a common error. Merge them into a single record starting with v=spf1 and ending with one mechanism like -all.

What is SPF alignment? Alignment happens when the domain in the “From” header matches the domain authenticated by SPF (the “Return-Path”).

How do I fix “Too many DNS lookups”? Remove old services you no longer use, use IP addresses instead of domains where possible, or use an SPF flattening service.

Does SPF protect against phishing? Only partially. It prevents unauthorized IPs from sending for your domain, but it doesn’t stop attackers from using look-alike domains.

What is a “Hard Fail” vs “Soft Fail”? Hard fail (-all) tells servers to reject the email. Soft fail (~all) suggests they accept it but mark it as suspicious.

Final takeaway

SPF is the foundation of your technical deliverability.

Verify you have exactly one SPF record.
Ensure it includes all your sending services.
Stay under the 10-lookup limit.
Switch from ~all to -all once you’re confident your list is complete.

If you’re running outbound, SPF isn’t a “nice to have.” It’s a prerequisite for inbox placement.

Quick checklist (outbound teams)

If your cold email performance is inconsistent, check:

Does your sending domain have SPF + DKIM + DMARC?
Are you using multiple tools that send mail (Apollo / HubSpot / Instantly / Smartlead)?
Did you add those tools to SPF (or set up proper Return-Path alignment)?
Are you exceeding 10 DNS lookups?

Related: Cold email deliverability

SPF (SPF)