🚧 DRAFT — work in progress. Nothing here is final; content and features are still being built.
Shipshape

WTF Series

WTF is SPF?

A DNS record that lists every server allowed to send email for your domain.

The real explanation

SPF stands for Sender Policy Framework. It's a TXT record you add to your domain's DNS that says "these IP addresses and these services are allowed to send email as me." When a receiving server gets an email claiming to be from your domain, it checks your SPF record. If the sending server isn't listed, SPF fails.

The biggest gotcha: SPF has a 10 DNS lookup limit. Every "include" in your SPF record costs at least one lookup, and some services use nested includes that eat up multiple. If you go over 10, your entire SPF record breaks for every receiver that checks it. Most senders don't find out until their emails start failing silently.

SPF also only checks the envelope sender (the Return-Path), not the From address that people actually see. That's why SPF alone isn't enough. You need DKIM and DMARC to cover the visible From address.

Show me an example

Your SPF record is: v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:freshdesk.com ~all. That's four includes, but Google's _spf.google.com alone has three nested includes inside it. You're already at 7 lookups from just those four services. Add a few more tools and you blow past 10. Everything breaks, and your ESP support team tells you to "check your content" instead.

Who handles this?

Sigilthe Signaler

Sigil covers authentication (spf/dkim/dmarc/bimi).

Go deeper

Read more in the Email Almanac: SPF in the Almanac

Related entries

Share this
© 2026Review My Emails. Confidential & proprietary — unreleased draft. Unauthorized copying, reproduction, or distribution of this site or its contents is prohibited. All rights reserved.