NuStart Email Trust Series — Post 2 of 10
SPF for Beginners is part of my series on Email deliverability is full of acronym soup—SPF, DKIM, DMARC, TLS—and most small businesses don’t have time to become part-time email engineers. In this series, I translate the geeky jargon into plain-English concepts and simple actions. You run the business; I’ll do the nerding.

What is SPF?
SPF stands for Sender Policy Framework. It’s a DNS record that tells the internet:
“These are the servers/services that are allowed to send email on behalf of my domain.”
When a mailbox provider (like Gmail or Outlook) receives an email claiming to be from your domain, it checks your SPF record to see if the sending server is on your approved list.
If the sender isn’t approved, SPF can fail—and that can lead to:
- messages landing in spam
- warning banners (“be careful with this message”)
- or outright rejection (especially when DMARC is enforced)
Why SPF matters for small businesses
SPF is one of the easiest wins for deliverability because it reduces impersonation and prevents “random servers” from pretending to be you. SPF for Beginners is my guid to help demystify the what, why and how of SPF Email authentication
It’s also critical because most businesses send email from more than one place, such as:
- Google Workspace or Microsoft 365 (day-to-day email)
- a newsletter platform (Mailchimp, etc.)
- a CRM (HubSpot, etc.)
- a transactional service (Postmark/SendGrid/Mailgun)
- your website (forms, WooCommerce receipts, booking plugins)
SPF is where you declare which of those are legitimate.
How SPF works (in plain English)
SPF is a TXT record on your domain. It contains rules that say:
- “Allow these IPs,” and/or
- “Allow whatever servers this provider uses,” and/or
- “Fail anything else.”
It doesn’t encrypt your email. It doesn’t “sign” your email. It’s simply an authorization list.
What an SPF record looks like
A typical SPF record looks something like:
v=spf1 include:_spf.google.com -all
Breakdown:
v=spf1= this is an SPF recordinclude:_spf.google.com= allow Google Workspace servers to send for this domain-all= hard fail anything not listed
You might also see:
~all= soft fail (less strict; often used early on)?all= neutral (not recommended for real-world protection)
The most common SPF mistake (and how to avoid it)
Mistake: Having multiple SPF records
A domain should have one SPF record. If you add a second one, receivers may treat SPF as invalid.
This happens a lot when businesses add tools over time:
- Google Workspace added an SPF record
- then a newsletter tool adds another
- then a website host adds another
The fix is to merge them into a single record.
SPF “include” is where things get tricky (but manageable)
Most providers publish an SPF include you add to your record. Examples:
- Google Workspace:
include:_spf.google.com - Microsoft 365:
include:spf.protection.outlook.com
Other tools (CRMs/newsletters) provide their own include(s).
Your job is to ensure your SPF record includes every legitimate sender—and nothing else.
SPF doesn’t work alone (important)
SPF checks the envelope sender (the technical “MAIL FROM” identity), which is not always the same as the visible From: address people see.
That’s why SPF is best paired with:
- DKIM (signs the message)
- DMARC (enforces alignment and gives you reporting)
SPF is necessary, but it’s not the full solution.
Step-by-step: how to set up SPF safely
Step 1: List all systems that send email as your domain
Write them down. Include:
- your mailbox provider (Google/M365)
- newsletters/marketing tools
- CRM
- invoicing/booking platforms
- website (forms, ecommerce receipts)
- any automation tools (Zapier/n8n sending mail, etc.)
If you miss one, SPF might start failing for that system.
Step 2: Find each system’s SPF instructions
Most tools have a help page that provides an include: value or IP ranges.
Step 3: Create ONE SPF record that covers everything
This will be one TXT record (usually on the root domain, “@”).
Step 4: Choose your ending (~all vs -all)
- If you’re unsure whether you’ve captured all senders, start with
~all(soft fail). - Once you’re confident everything is accounted for, move to
-all(hard fail). - If you’re implementing DMARC later, this becomes even more important.
Step 5: Validate
Use a DNS checker and send test emails to a few providers. Confirm the Authentication-Results show SPF pass.
I use mail-tester.com (easy to read report) or redsift.com (more detailed, but complex report)
SPF limits you should know (so you don’t get burned)
1) The 10 DNS-lookup limit
SPF has a technical limit: a receiver may only do 10 DNS lookups while evaluating SPF. Too many include: statements can push you over the limit, causing SPF to fail even if your intentions are correct.
This is common when businesses stack multiple marketing tools.
2) “Website sends email” is often the hidden deliverability killer
If your website is sending mail “from” your domain but your host/server isn’t included in SPF, SPF may fail (and the message may be filtered).
Often the better approach is:
- send form mail via an authenticated provider (transactional email), or
- use a safe “from” and put the user’s email in Reply-To, or
- route through a service designed for this (I use Postmark for client website email notifications!)
I’ll cover that more as the series goes on.
Quick SPF checklist
- Only one SPF record exists
- It includes your real mailbox provider (Google/M365)
- It includes every platform that sends as your domain
- It ends with
~all(early) or-all(final) - You are under the 10-lookup limit
- You tested and confirmed SPF pass in headers
Want NuStart to handle this for you?
If you’d rather not wrestle with DNS records, alignment, and testing, NuStart can audit your current setup and implement a clean, reliable Email Trust configuration end-to-end. Request an Email Trust Audit today to get started.
Up next
Next: Post 3 — DKIM Explained: How email signatures build trust (and stop tampering)
FAQs
Can I have more than one SPF record?
What’s the difference between ~all and -all in an SPF record?
~all (soft fail): “Not authorized, but don’t hard-reject.” Good for early rollout.-all (hard fail): “Not authorized—fail.” Better security once you’re confident all legitimate senders are included.Why did my contact form emails start going to spam?
What is the SPF 10-lookup limit?
include:, a, mx, ptr, exists, redirect). Too many tools stacked into SPF can exceed the limit and make SPF fail even if the record looks “right.”Does SPF protect against spoofing?
Does SPF affect inbound email I receive?
Should I put my IP address in SPF?
include: values provided by Google/Microsoft or a sending platform, not raw IPs.
