Skip to content Sender Policy Framework explained
SPF email authentication is basically your domain’s bouncer checking IDs at the door. SPF (Sender Policy Framework) lets you specify which mail servers are allowed to send emails on behalf of your domain.
In other words, it’s a DNS record that says ‘Emails from mydomain.com should only come from X, Y, and Z servers, everyone else can get lost.’
Think of SPF as your first line of defense against spoofing and phishing. If some scammer tries to send an email pretending to be you, a proper SPF record will flag that imposter and help ISPs block it. This protects your brand and prevents spammer shenanigans from trashing your sender reputation. For legitimate emails, SPF passes give you a deliverability boost. Mailbox providers trust your messages more when they can verify the sending source. On the flip side, failing SPF can send your email straight to spam or outright get it rejected by strict servers.
If you’re using any third-party email service (newsletters, CRM, sales automation), you must include their sending servers in your SPF record. Forgot to update SPF after adding a new email tool? Don’t be surprised when your deliverability dips. Your emails are essentially showing up without being on the guest list.
Setting up SPF isn’t rocket science, but you need to do it right. A few tips to keep your SPF effective and error-free:
Combine all your sending sources into a single SPF TXT record. Multiple SPF records on the same domain will break things.
List every service that sends emails for you (include mechanisms for your ESPs, CRMs, etc). If you forget one, those emails might fail SPF authentication for email delivery.
The end of your SPF record should typically be -all, which is basically ‘hard fail’ for any sender not listed. This tells ISPs to reject messages from unauthorized sources. Using ~all (soft fail) is weaker; it’s like maybe rejecting the fakes. Go ahead and be strict.
SPF records can only have 10 DNS lookups, which means that when a receiving mail server checks your domain’s SPF record, it can perform no more than 10 DNS lookups. A lookup is any additional DNS query needed to fetch information such as another domain’s SPF record or a domain’s A or MX records (for example when using include, a, mx, exists, redirect, or ptr).
This limit exists to keep email authentication fast and reliable. That’s an RFC rule, not a suggestion. If you include too many services (and those include chain to other includes), you can hit the limit and get a PermError which means SPF breaks entirely for your domain. Keep an eye on it, use SPF flattening or subdomains for additional senders if needed, but don’t exceed 10 lookups or your SPF might as well not exist.
Treat your SPF record as living documentation. When you add or remove an email service, update the record.
Configure SPF correctly and you’ll not only block the bad guys but also show mailbox providers you’re a responsible sender. That translates to more of your emails delivered where they belong (the inbox!). It’s a one-time setup that pays permanent dividends.
PitchKraft lets you verify your SPF, DKIM and DMARC within the software. We strongly advise you to take advantage of that. We also ask that you verify your domain so that others can’t send emails using PitchKraft on your behalf.
Unless you verify your domain, which is a 10-minute job, we won’t be able to let you send emails via PitchKraft. We value your email reputation and won’t do anything which could harm it. If you have any problems or need any help or advice, just contact our support team anytime.
Get in touch
24/7/365 support comes as standard. We know…this is not normal!
support@pitchkraft.ai
Available on Standard & Premium plans
