How does SPF work?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Every time an email arrives at a receiving server, that server asks: is this sender who they say they are? SPF is one of the tools it uses to find out.

Here's the sequence. When your message lands at Gmail or Outlook, the receiving server looks at the envelope from domain, which is the domain used during the actual mail transfer (different from what you see in the "From" field in your inbox). It takes that domain and does a quick DNS lookup to find the SPF record you've published.

The SPF record contains a list of authorized servers, written as mechanisms: things like ip4:203.0.113.5 (a specific IP address), include:esp.example.com (your ESP's sending range), or mx (your mail exchange servers). The receiving server checks whether the IP address it's actually talking to matches any of them.

If the IP matches an authorized mechanism, the message passes SPF. If it doesn't match anything, the result depends on the qualifier at the end of the SPF record. ~all means soft fail (suspicious, but accept it). -all means hard fail (reject or heavily penalize it).

One important nuance: SPF validates the envelope from domain, not the visible from header in your client. Those can be different, which is why DMARC exists. DMARC checks whether SPF and DKIM actually align with the visible "From" domain. Without DMARC, a spoofer can pass SPF while still showing a different "From" to your recipients.

So if If you want to check whether your SPF record is evaluating correctly, our free SPF checker validates the syntax and shows you which mechanisms are resolving.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a step-by-step diagnosis of your specific SPF setup.

I read this on the Email Almanac about how SPF validation works. My domain is your domain. My SPF record currently says paste your record or leave blank. I'm sending through [describe your ESP or mail server setup, including any third-party services that send on your behalf]. What I want to understand: [describe your question, e.g., "whether my ESP's sending IP is authorized by my SPF record" or "why messages are failing SPF despite having a record" or "what the difference is between the envelope-from and visible-from"].

Edit the yellow boxes, then send to the AI of your choice.