Home/Knowledge Hub/SPF: Who's Allowed to Send Email From Your Domain
← Back to Knowledge Hub

SPF: Who's Allowed to Send Email From Your Domain

Email SecurityDNS & Network·June 3, 2026·4 min read

SPF (Sender Policy Framework) is a DNS record that tells email receivers which servers are authorized to send email from your domain.…

How SPF Works

Your customer gets an email from yourcompany.com. How does their inbox know it's really you? That’s where SPF comes in. SPF stands for Sender Policy Framework. It’s a simple text file you publish in your domain’s DNS settings—a public guest list of who is allowed to send email on your behalf. Your domain name is like your street address. DNS is the phonebook that turns addresses into directions. An SPF record is a specific entry in that phonebook that lists which mail servers are permitted to send mail from your street address. Without it, anyone who looks you up in the directory might get directions to a fake house.

Real-World Analogy

Think of your domain like an apartment building. The building manager posts a list of approved delivery people who can drop off packages for residents. If a delivery person shows up claiming to be from FedEx but their name isn’t on the list, they’re turned away. SPF is that approved list, but for email.

Layer 1 – Plain English

Here’s what happens when you send an email: Your email provider adds a hidden note that says “I came from this server.” The receiving mail server (like Gmail or Outlook) sees the note, then pulls up the SPF record from your domain’s DNS. It checks the list. If the server that sent the email is on the list, the email passes the SPF check. If it’s not, the email gets flagged as suspicious or rejected outright. It’s like a bouncer checking a VIP list at the door.

Layer 2 – Technical Detail

Technical Details
— starts every SPF record
— authorizes a specific IPv4 address (like giving a key to one trusted server)
— delegates to another domain’s SPF record (if you use Microsoft 365, for example)
— strict: reject any server not listed. means softfail (mark as suspicious but deliver). is neutral (testing only, don’t use in production)

Why It Matters for Your Business

When you have SPF set up properly, email receivers trust your messages, so your newsletters, invoices, and support emails land in inboxes instead of spam folders. That means better deliverability for marketing campaigns, fewer missed sales queries, and fewer support tickets from customers who didn’t get a response.

Without a correct SPF record, anyone can send emails that look like they’re from your domain. An attacker could blast thousands of phishing messages pretending to be your CEO, or a competitor could spoof your address and ruin your sender reputation. Your real emails start bouncing or ending up in spam, and your customers lose trust.

This isn’t just an IT problem. Marketing relies on deliverability to reach leads. Sales needs inbox placement to close deals. Support depends on customers being able to reply. Even your executive team should care because a spoofed email can embarrass your brand or lead to a costly security incident.

Common Issues and Warning Signs

You might not realize your SPF is broken until something goes wrong. Maybe you added a new email tool and suddenly some messages disappear. Maybe a client tells you they’ve been getting strange emails from your company that you know you didn’t send. Here are the signs that point to an SPF problem:

Common Issues

Email from your domain keeps landing in spam folders, especially after you connected a new service like a CRM or marketing platform.
You set up a new email tool and now customers say they never received the message.
Your IT team gets bounce messages saying “SPF fail” or “Sender not permitted.”
A client forwards you a phishing email that looks like it came from your CEO—but you didn’t send it.
TechSpy’s scan shows a warning about missing or misconfigured SPF.

How to Fix or Improve SPF

If you manage your domain’s DNS, you can fix this in a few minutes. If not, forward these steps to whoever handles your IT—they’ll know exactly what to do. The goal is to create one SPF record that lists every service you use to send email (your Microsoft 365 or Google Workspace, your marketing tool, your CRM, etc.).

Done. SPF is now telling the world exactly who’s allowed to deliver messages from your street address. Want to double-check everything is in order? Run a free TechSpy scan to see your SPF record and other email security settings at a glance.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1Make a list of all the services that send email from your domain. This includes your primary email provider (Google Workspace, Microsoft 365), any marketing automation tool, helpdesk, or invoicing platform.
2Go to a free SPF generator like the one on MXToolbox or EasyDMARC. Enter your domain and add each service’s SPF include statement as prompted (your provider’s documentation will have the exact string, like ).
3Copy the generated SPF record. It will look something like .
4Log into your DNS provider’s control panel (where you bought your domain or where your DNS is hosted—often GoDaddy, Namecheap, Cloudflare, or AWS).
5Find the DNS records section and add a new TXT record. In the Name/Host field, enter (meaning your root domain). In the Value/Content field, paste the SPF record you copied.
6Set the TTL (time to live) to 3600 seconds (1 hour) and save. Wait a few minutes for the change to propagate, then run another TechSpy scan to confirm it’s working.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →