SPF Syntax

sender policy framework

Structure of an SPF record

Each SPF record begins with a version number; the current SPF version with "v = spf1 ".

It follows any number of expressions, which are evaluated in the order from front to back. Most terms are so-called directivesthat define the sender's authorization, and consist of an optional qualifier and a so-called mechanism that yields either a hit or no hit for a given situation (IP address). The first mechanism that represents a hit determines the result of the entire valuation of the SPF record.

There are the following Qualifiers:

Q. Result Code description
+ Pass the directive defines authorized transmitter;
this is the standard, i.e. if no qualifier is specified, + is assumed
- Fail the directive defines unauthorized senders
~ SoftFail the directive defines unauthorized senders, but the recipient should treat this failure generously;
this qualifier is for testing purposes
? Neutral the directive defines channels whose legitimacy is not to be stated; The transmitter must be accepted.

The following table shows some common Mechanisms:

Mech. Directive applies if -
all always
a an A (or AAAA) record of the polled (or explicitly specified) domain contains the IP address of the sender
mx an MX record of the polled (or explicitly specified) domain contains the IP address of the sender
ip4 the specified IPv4 address is the IP address of the sender or the specified IPv4 subnet contains it
include an additional SPF request for the domain specified in the include statement contains the IP address of the sender

For an overview of all allowed terms, see the SPF Mechanisms subpage of the SPF website.


$ host -t TXT gmx.de
gmx.de text "v=spf1 ip4: -all"

The company GMX determines that all servers in the network area from to may send e-mails from the domain gmx.de. All other servers are not authorized to use this domain in the envelope sender address under this SPF record.

SPF - Record


Domain management