← Back to blog

SPF Records Explained: A Practical Guide for Outreach Teams

Learn what SPF does, how to read v=spf1 records, and common mistakes that break cold email deliverability.

By FeedPipeline Team

  • SPF
  • DNS
  • Deliverability

Sender Policy Framework (SPF) tells receiving mail servers which hosts are allowed to send email for your domain. Without it—or with a misconfigured record—your campaigns are more likely to fail authentication and land in spam.

What an SPF record looks like

SPF is published as a TXT record on your root domain:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
  • v=spf1 — required version tag
  • include: — delegates to another domain’s SPF (counts as DNS lookups)
  • -all — fail all other senders (recommended for production)

Common mistakes

Too many DNS lookups

SPF allows a maximum of 10 DNS lookups (include, a, mx, redirect, etc.). Exceeding this causes a PermError and SPF fails.

Using +all

+all means “any server on the internet may send as you.” It effectively disables SPF protection.

Forgetting new sending tools

Every ESP, warm-up tool, or CRM that sends on your behalf needs to be in SPF—usually via an include: mechanism.

How to verify SPF

Use FeedPipeline’s free checker to pull live TXT records via public DNS and flag weak policies or lookup issues before you scale sending.

Quick checklist

  1. One SPF TXT record on the apex domain (not multiple conflicting records)
  2. All sending providers included
  3. End with -all or ~all (softfail) during testing only
  4. Stay under 10 DNS lookups

SPF is only one piece of authentication—pair it with DKIM and DMARC for a complete setup.

Check your domain for free

Run SPF, DKIM, DMARC, MX, and blocklist checks in seconds.

Open domain checker