Understand every SPF mechanism and qualifier, fix the most common SPF errors (PermError, SoftFail, too many DNS lookups), and build a bulletproof SPF record for cold email.
SPF (Sender Policy Framework) is a DNS TXT record published on your domain that specifies which mail servers are authorized to send email on your behalf. When a receiving mail server gets an email claiming to be from you@yourdomain.com, it checks your DNS for an SPF record and verifies that the sending server's IP is on the approved list.
If the sending IP isn't in your SPF record, the receiving server can choose to reject the email, quarantine it, or flag it as suspicious depending on your SPF qualifier (~all vs -all) and their own policy settings.
An SPF record is a single DNS TXT record with the value starting with v=spf1. Here's a breakdown of every mechanism and qualifier you'll encounter:
| Mechanism | What It Does | DNS Lookups | Common Use |
|---|---|---|---|
v=spf1 | Declares this is an SPF v1 record. Always first. | 0 | Required — always present |
ip4:1.2.3.4 | Authorizes a specific IPv4 address | 0 | Your dedicated sending IP |
ip4:1.2.3.0/24 | Authorizes an IPv4 CIDR range | 0 | Your IP block |
ip6:2001:db8::1 | Authorizes a specific IPv6 address | 0 | IPv6 sending servers |
include:domain.com | Includes all IPs from another domain's SPF | 1+ | Third-party ESPs (TuruMail, SendGrid, etc.) |
a | Authorizes the domain's A record IP(s) | 1 | Your web server also sends mail |
mx | Authorizes all IPs in the domain's MX records | 1+ | Inbound mail server also sends |
ptr:domain.com | Matches reverse DNS to a domain (deprecated) | Many | Avoid — causes PermErrors |
exists:domain.com | Passes if a DNS query returns any A record | 1 | Rarely used |
redirect=domain.com | Delegates entire SPF policy to another domain | 1 | Multi-domain management |
all | Matches any IP not matched above (catch-all) | 0 | Always the last mechanism |
| Qualifier | Result | Effect on Failing Emails | When to Use |
|---|---|---|---|
+all (default) | Pass | Passes everything — including unauthorized IPs | Never — defeats the purpose of SPF |
~all | SoftFail | Marks as suspicious but usually delivers | Initial setup and when switching ESPs |
-all | HardFail | Instructs receiving servers to reject | When DMARC p=reject is live and confirmed |
?all | Neutral | No policy — treated like there's no SPF | Testing only |
Here are SPF records for common cold email setups:
include:, a, mx, and exists: counts.include: with raw ip4: addresses. Use a flattening tool or TuruMail's SPF optimizer.v=spf1. This is invalid — only one SPF record is allowed per domain.~all so emails still deliver, but with a reputation hit.include:smtp.turumail.com to your SPF record. Verify in TuruMail dashboard under Authentication.v=spf1 include:smtp.turumail.com ~all-all but have a service sending email that isn't in your SPF. Those emails are being rejected.~all to -all.The most misunderstood aspect of SPF is the 10 DNS lookup limit (defined in RFC 7208). Here's how a typical multi-ESP setup can quickly hit that limit:
include: chains to their final IP addresses and replaces them with ip4: entries — which use 0 DNS lookups. The downside is that flattened records need to be updated whenever your ESP changes their IP ranges. TuruMail's automatic SPF monitoring alerts you when changes are needed.Select the services you send from and we'll generate your SPF record automatically:
TuruMail guides your SPF, DKIM, and DMARC setup step by step — and monitors them 24/7 so you never get caught off guard.