SPF is an email authentication standard that allows you to specify which mail servers are authorized to send email on behalf of your domain. When an email server receives a message, it can check the SPF record to verify the sender is legitimate.
How SPF Works
SPF verification follows a four-step process that happens automatically for every incoming email:
- You publish a TXT record in your domain’s DNS listing authorized sending servers
- When a recipient’s server receives an email claiming to be from your domain, it looks up your SPF record
- The server checks if the sending IP is listed in your SPF record
- Based on the result, the email is accepted, marked as suspicious, or rejected
┌─────────────────┐
┌──────────┐ ┌──────────┐ │ DNS Server │
│ Sender │ ──────▶ │ Lettr │ ──────────────▶ │ (SPF Lookup) │
└──────────┘ └──────────┘ └────────┬────────┘
│ │
│ ┌───────────────────────┘
▼ ▼
┌───────────────────┐
│ Recipient Server │
│ (Checks SPF) │
└───────────────────┘
SPF Qualifiers
The qualifier at the end of your SPF record determines how receiving servers handle emails from unauthorized sources:
| Qualifier | Symbol | Action | Recommendation |
|---|
| Pass | +all | Accept all (defeats SPF purpose) | Never use |
| Soft Fail | ~all | Accept but mark suspicious | Recommended |
| Hard Fail | -all | Reject unauthorized emails | Use after testing |
| Neutral | ?all | No policy | Not recommended |
Start with ~all (soft fail) while setting up, then move to -all (hard fail) once you’ve confirmed all legitimate sending sources are included.
Merging SPF Records
You can only have one SPF record per domain. If you use multiple email services, merge them into a single record:
Example: Lettr + Google Workspace
v=spf1 include:_spf.sparkpostmail.com include:_spf.google.com ~all
Example: Lettr + Microsoft 365 + Mailchimp
v=spf1 include:_spf.sparkpostmail.com include:spf.protection.outlook.com include:servers.mcsv.net ~all
Having multiple SPF records will cause authentication failures. Always merge into a single TXT record.
SPF Lookup Limit
SPF has a limit of 10 DNS lookups per record. Each include: statement counts as at least one lookup (and nested includes add more). If you use several email services, you can exceed the limit.
Check your lookup count
Use a public SPF checker to see how many lookups your record uses:
If you exceed 10 lookups, you’ll need to reduce the number of include: statements. Remove any email services you no longer use, and consider an SPF flattening service that resolves include: statements into explicit IP addresses, reducing the lookup count while maintaining the same authorization.
Verify SPF Setup
After adding your SPF record, you can check its status through the Lettr API. The response tells you whether the record was found and validated correctly:
curl https://app.lettr.com/api/domains/example.com \
-H "Authorization: Bearer lttr_xxxxxxxxxxxx"
spf_status field indicating whether your SPF record is correctly configured.
Troubleshooting
If SPF verification fails, check the most common causes:
| Issue | Solution |
|---|
| SPF not verifying | Ensure TXT record is on root domain, not a subdomain |
| Multiple SPF records | Merge all services into one TXT record |
| Too many lookups | Remove unused includes or use SPF flattening |
| Emails still failing | Check that Lettr’s include is present: include:_spf.sparkpostmail.com |
Next Steps
