Best Practices for SPF

SPF best practices include keeping records simple, limiting them to trusted senders, staying within the 10-lookup limit, and using ~all during testing before enforcing -all. Regularly audit your record, monitor alignment through DMARC, and ensure all legitimate senders are properly included.

MxToolbox's recommended steps to create and maintain your SPF record are discussed below. Be sure to use our free SPF Record Generator tool to help your create an optimal record for your business.

Record Structure and Content

  • Keep records simple: Avoid overcrowding your SPF record—use the fewest include statements necessary to prevent errors and reduce lookup consumption.

  • Specify only trusted senders: Limit entries to services and IPs you actively use. Remove outdated vendors through regular reviews.

  • Prefer direct IP entries: Use ip4/ip6 mechanisms instead of hostnames when possible to minimize DNS lookups.

  • Use ~all or -all: Begin with ~all (softfail) during testing; move to -all (fail) once stable. Never use +all because it authorizes any IP to send email on your behalf.

  • Avoid a and mx mechanisms: These often provide no real value and frequently increase unnecessary lookups.

  • Segment with subdomains: Assign different vendors or mail streams to dedicated subdomains so each can use its own SPF record and 10-lookup budget.

Maintenance and Monitoring

  • Stay within 10 DNS lookups: Remember that each include, a, or mx mechanism counts toward the dreaded SPF limit. If that's unavoidable, try MxToolbox's SPF Flattening feature.

  • Audit regularly: Remove unused mechanisms, validate formatting, and ensure the record reflects current sending sources.

  • Monitor via DMARC: Use DMARC reports to track SPF pass/fail rates and identify unauthorized or misconfigured senders.

  • Test before deploying: Validate syntax and lookup count using our free SPF Record Generator tool prior to publishing changes on domains.

  • Check setup: After creating your record, try our free SPF Record Check tool to ensure proper setup.

Use SPF with Other Email Authentication Tools

  • Combine with DKIM and DMARC: SPF is most effective when paired with DKIM and enforced through DMARC for a complete email authentication strategy.

burritos@banana-pancakes.com braunstrowman@banana-pancakes.com finnbalor@banana-pancakes.com ricflair@banana-pancakes.com randysavage@banana-pancakes.com