SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are allowed to send email on behalf of your domain. Receiving mail servers check incoming mail against that record; mail from servers not listed is treated as suspicious or rejected.

SPF in practice

SPF is the first of three standards that together counter email spoofing — the sending of mail in your name by malicious parties. Without a correct SPF record, even your own legitimate mail ends up in spam folders more often, certainly since large receivers such as Google and Microsoft impose authentication requirements on senders.

The classic problem: every new tool that sends mail on behalf of your domain (newsletters, invoicing, your ATS) has to be added to the SPF record, and that gets forgotten. The result: invoices landing in spam. SPF works together with DKIM and DMARC — all three should be set up.

Related terms

  • DKIM — DKIM (DomainKeys Identified Mail) adds a digital signature to every outgoing email that recipients can verify via DNS.
  • DMARC — DMARC is the policy on top of SPF and DKIM: it tells receiving mail servers what to do with mail that fails the checks — simply deliver it (none), quarantine it or reject it (reject) — and sends reports on who is mailing on behalf of your domain.
  • DNS — DNS (Domain Name System) is the system that translates domain names into the servers behind them: it determines where your website is loaded and where email for your domain is delivered.

Further reading

Part of the RiverFlows glossary · Updated . Missing a term? Let us know.