SPF Record Builder

Sender Policy Framework (SPF) is an email authentication standard (RFC 7208) that allows domain owners to specify which mail servers are authorised to send email on behalf of their domain. It works by publishing a DNS TXT record that lists the IP addresses and hostnames permitted to send mail for that domain.

When a receiving mail server gets a message claiming to be from hello@netoz.au, it checks the DNS for netoz.au's SPF record. If the sending server's IP address (such as 138.252.126.33) matches one of the authorised sources listed in the record, the message passes SPF authentication. If it doesn't match, the receiving server can reject or flag the message as suspicious.

SPF is one of the three pillars of modern email authentication, alongside DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance). Together, they provide a robust framework for verifying that emails genuinely come from who they claim to be from.

Email spoofing is a technique where an attacker sends emails with a forged “From” address, making it appear as though the message came from a trusted domain. Without SPF, any mail server in the world can claim to be sending on behalf of your domain — and receiving servers have no way to verify the claim.

SPF stops this by giving domain owners a way to publish an explicit list of authorised senders. Here's how the verification process works:

1. An email arrives at the receiving server claiming to be from @netoz.au
2. The receiving server extracts the domain from the envelope sender (Return-Path header)
3. It performs a DNS TXT lookup for netoz.au and finds the SPF record
4. It checks whether the connecting server's IP address is listed in the SPF record
5. Based on the result (pass, fail, softfail, or neutral), the receiving server decides whether to accept, reject, or flag the message

For businesses like those hosted with NetOz, SPF is essential for protecting your brand. Without it, attackers could send phishing emails that appear to come from your domain, potentially tricking your customers, suppliers, or staff into revealing sensitive information. A properly configured SPF record makes these attacks significantly harder to pull off.

SPF also directly impacts email deliverability. Major providers like Gmail, Outlook, and Yahoo increasingly require SPF (along with DKIM and DMARC) for incoming mail. Without a valid SPF record, your legitimate emails are more likely to land in spam folders or be rejected outright.

An SPF record is a DNS TXT record that starts with v=spf1 followed by a series of mechanisms and modifiers. Each mechanism specifies an authorised sending source, and the record ends with a policy for handling unauthorised senders.

Key Mechanisms

• ip4: / ip6: — Authorise a specific IP address or CIDR range (e.g. ip4:138.252.126.33)
• include: — Include another domain's SPF record (e.g. include:_spf.google.com)
• a — Authorise the IP addresses in the domain's A/AAAA records
• mx — Authorise the IP addresses of the domain's MX (mail exchange) servers

Qualifiers

• + (Pass) — Allow the sender (default if no qualifier is specified)
• - (Fail) — Reject the sender — used in -all for a strict policy
• ~ (SoftFail) — Accept but mark as suspicious — used in ~all for a softer policy
• ? (Neutral) — No policy — treated as if no SPF record exists

The 10 DNS Lookup Limit

SPF records are limited to 10 DNS lookups. Mechanisms like include:, a, mx, and exists each count as one lookup. Nested includes count too — if Google Workspace's _spf.google.com includes three more domains, that's four lookups total. Exceeding 10 lookups causes an SPF “permerror”, which many receivers treat as a failure. Use ip4: and ip6: where possible, as these do not count towards the limit. This builder tracks your lookup count in real time.