What is SPF?
Sender Policy Framework (SPF) is a DNS TXT record that tells receiving mail servers which hosts are allowed to send email for your domain.
Why SPF matters
SPF helps mailbox providers reject or flag messages that claim to be from your domain but were sent by an unauthorised server. It is one of the baseline controls used with DKIM and DMARC to reduce phishing, spoofing, and deliverability problems.
A healthy SPF record is especially important when you use third-party senders such as marketing platforms, helpdesk tools, invoicing systems, or cloud email providers.
What to check
Look for exactly one TXT record that starts with v=spf1, includes every legitimate sending service, stays within the 10-DNS-lookup SPF limit, and ends with an all mechanism such as ~all or -all.
Avoid +all because it authorises every sender. Avoid the ptr mechanism because it is slow and deprecated. If your record has many include mechanisms, flatten or remove senders you no longer use.
How NerdTools helps
The SPF checker finds SPF TXT records, counts DNS-lookup mechanisms, highlights unsafe all policies, and explains common record problems before you publish changes.
FAQ
Can a domain have more than one SPF record?
No. Multiple SPF TXT records create a permanent error for many receivers. Combine authorised senders into one record.
Should I use ~all or -all?
~all is a softer policy that is useful while testing. Use -all when you are confident all legitimate senders are listed.
Does SPF protect forwarded email?
Forwarding can break SPF because the forwarding server may not be authorised. DMARC alignment and DKIM help cover this gap.