> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lettr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SPF Records

> Configure an SPF record that authorizes Lettr to send email for your domain, so receiving servers can verify the sending IP is legitimate

SPF is an email authentication standard that allows you to specify which mail servers are authorized to send email on behalf of your domain. When an email server receives a message, it can check the SPF record to verify the sender is legitimate.

## How SPF Works

SPF verification follows a four-step process that happens automatically for every incoming email:

1. You publish a TXT record in your domain's DNS listing authorized sending servers
2. When a recipient's server receives an email claiming to be from your domain, it looks up your SPF record
3. The server checks if the sending IP is listed in your SPF record
4. Based on the result, the email is accepted, marked as suspicious, or rejected

```
                                                    ┌─────────────────┐
┌──────────┐         ┌──────────┐                   │  DNS Server     │
│  Sender  │ ──────▶ │  Lettr   │ ──────────────▶   │  (SPF Lookup)   │
└──────────┘         └──────────┘                   └────────┬────────┘
                           │                                 │
                           │         ┌───────────────────────┘
                           ▼         ▼
                     ┌───────────────────┐
                     │ Recipient Server  │
                     │ (Checks SPF)      │
                     └───────────────────┘
```

## SPF Qualifiers

The qualifier at the end of your SPF record determines how receiving servers handle emails from unauthorized sources:

| Qualifier | Symbol | Action                           | Recommendation    |
| --------- | ------ | -------------------------------- | ----------------- |
| Pass      | `+all` | Accept all (defeats SPF purpose) | Never use         |
| Soft Fail | `~all` | Accept but mark suspicious       | **Recommended**   |
| Hard Fail | `-all` | Reject unauthorized emails       | Use after testing |
| Neutral   | `?all` | No policy                        | Not recommended   |

<Tip>
  Start with `~all` (soft fail) while setting up, then move to `-all` (hard fail) once you've confirmed all legitimate sending sources are included.
</Tip>

## Merging SPF Records

You can only have **one SPF record** per domain. If you use multiple email services, merge them into a single record:

### Example: Lettr + Google Workspace

```
v=spf1 include:_spf.sparkpostmail.com include:_spf.google.com ~all
```

### Example: Lettr + Microsoft 365 + Mailchimp

```
v=spf1 include:_spf.sparkpostmail.com include:spf.protection.outlook.com include:servers.mcsv.net ~all
```

<Warning>
  Having multiple SPF records will cause authentication failures. Always merge into a single TXT record.
</Warning>

## SPF Lookup Limit

SPF has a limit of **10 DNS lookups** per record. Each `include:` statement counts as at least one lookup (and nested includes add more). If you use several email services, you can exceed the limit.

### Check your lookup count

Use a public SPF checker to see how many lookups your record uses:

* **[MXToolbox SPF Record Lookup](https://mxtoolbox.com/spf.aspx)** – Enter your domain to see the resolved SPF record and lookup count.
* **[DMARC Analyzer SPF Lookup](https://www.dmarcanalyzer.com/spf/spf-record-check/)** – Shows lookup chain and warns if you exceed 10.

If you exceed 10 lookups, you'll need to reduce the number of `include:` statements. Remove any email services you no longer use, and consider an SPF flattening service that resolves `include:` statements into explicit IP addresses, reducing the lookup count while maintaining the same authorization.

## Verify SPF Setup

After adding your SPF record, you can check its status through the Lettr API. The response tells you whether the record was found and validated correctly:

```bash theme={null}
curl https://app.lettr.com/api/domains/example.com \
  -H "Authorization: Bearer lttr_xxxxxxxxxxxx"
```

The response includes the `spf_status` field indicating whether your SPF record is correctly configured.

## Troubleshooting

If SPF verification fails, check the most common causes:

| Issue                | Solution                                                                |
| -------------------- | ----------------------------------------------------------------------- |
| SPF not verifying    | Ensure TXT record is on root domain, not a subdomain                    |
| Multiple SPF records | Merge all services into one TXT record                                  |
| Too many lookups     | Remove unused includes or use SPF flattening                            |
| Emails still failing | Check that Lettr's include is present: `include:_spf.sparkpostmail.com` |

## Next Steps

<CardGroup cols={2}>
  <Card title="DKIM" icon="key" href="/learn/domains/dkim">
    Set up DKIM signing for your domain
  </Card>

  <Card title="DMARC" icon="shield" href="/learn/domains/dmarc">
    Configure DMARC policies
  </Card>
</CardGroup>
