What is the DNS lookup limit?

SPF allows a maximum of 10 DNS lookups per evaluation. Every include:, a:, mx:, exists: and ptr: counts. If the limit is exceeded, the checking server responds with PermError and SPF is treated as failed.

What is the difference between -all and ~all?

-all (hardfail) instructs mail servers to reject non-matching mail. ~all (softfail) lets it through but marks it as suspicious. For production domains with active DMARC, -all is the right choice.

Can I have multiple SPF records on one domain?

No. Multiple TXT records with v=spf1 on the same host result in PermError. Consolidate all mechanisms into a single record.

Do I still need SPF if I use DMARC?

Yes. DMARC builds on SPF and/or DKIM. Without at least one of the two passing plus aligned, DMARC fails — even if the other components are correct.

How do I test SPF changes without risk?

First set a low TTL (300 seconds), check with the Mailantis SelfCheck and watch DMARC aggregate reports for a few days. Only then raise the TTL again.

What is SPF? — Mailantis Learn

The problem

In the default email protocol, any server can claim to send mail for your-company.com. Without additional information, recipients have no way to verify whether the sender address is genuine. This is the basis of phishing and CEO fraud.

How SPF works

SPF solves the problem with a DNS record. In a TXT record, you publish a list of servers that are allowed to send for your domain. The receiving mail server queries this list and compares it against the IP address that the email is currently coming from.

SPF check in 4 steps

Example record

This is what a typical SPF entry in DNS looks like — here for a domain that uses Google Workspace and Mailgun:

; TXT record for @ (root domain)
"v=spf1 include:_spf.google.com include:mailgun.org ~all"

The key components:

v=spf1 — marks the record as SPF version 1.
include:… — pulls in the allowed servers of a provider.
~all — everything else is a softfail: mail probably gets through but is flagged.

The four policy endings

Ending	Meaning	Recommendation
`-all`	Hardfail — anything outside the list is rejected.	Ideal
`~all`	Softfail — suspicious, but not blocked.	Good
`?all`	Neutral — no statement.	Weak
`+all`	Everything allowed.	Never

Important: SPF alone does not fully protect you. An attacker can forge the visible From address without SPF noticing. Only the combination with DKIM and DMARC closes this gap.

The most common pitfalls

More than 10 DNS lookups — SPF has a hard limit of 10 queries. Many include: entries can blow past this limit and invalidate the record.
Two SPF records on one domain — technically forbidden and ignored by recipients. There must be exactly one TXT record with v=spf1.
Forwarding — when mail is automatically forwarded from one address, SPF fails at the new recipient. DKIM solves this.

What is SPF?

The problem

How SPF works

Example record

The four policy endings

The most common pitfalls

Frequently asked questions