Rate this page:

SPF Records Explained

Sender Policy Framework (SPF) is an open standard aimed at preventing sender address forgery. This article describes how SPF is configured for use with SendGrid.

SPF overview

SPF attempts to prevent email sending abuse by ensuring that the IP address from which a message was sent is authorized to send mail on behalf of the domain in the email’s Envelope From or return-path.

For more information about From addresses and email, see our article on email spoofing.

SPF is implemented by adding a TXT record to a domain’s DNS records. The TXT record specifies which IP addresses are allowed to send email for the domain.

SPF mail flow

To understand SPF, it may help to understand how email traffic is handled when SPF is added to the process. Imagine an email server receives a message and checks the message's return-path. The return-path is sender@example.com. To perform an SPF check, the following steps take place:

  1. The receiving email server retrieves the SPF record from the DNS records for the example.com domain.
  2. The receiving server then checks the SPF record for all the IP addresses that are approved to send email on behalf of the domain.
  3. If the SPF check passes, the receiving server can be confident the message was sent from an approved sending server and will continue processing the message.
  4. If the SPF check fails, the message is likely illegitimate and will be processed using the receiving server’s failure process.

A diagram of the SPF traffic flow described in the steps above this image

SPF and sender authentication

SendGrid's automated security

When you complete Domain Authentication, automated security is enabled by default. Automated security handles your SPF and DKIM records for you. Twilio SendGrid provides CNAME records that you need to add to your DNS records. This allows you to add dedicated IP addresses and make other account updates without having to manage your SPF records manually.

To disable this behavior, uncheck Use automated security when completing the domain authentication process. With automated security disabled, Twilio SendGrid provides you with TXT records like those discussed in this documentation rather than CNAME records.

Domain Authentication Automated Security

For more information on official SPF best practices and syntax, you can find the SPF specification at www.openspf.org.

Additional Resources

Rate this page:

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the SendGrid tag on Stack Overflow.


        Thank you for your feedback!

        We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

        Sending your feedback...
        🎉 Thank you for your feedback!
        Something went wrong. Please try again.

        Thanks for your feedback!

        Refer us and get $10 in 3 simple steps!

        Step 1

        Get link

        Get a free personal referral link here

        Step 2

        Give $10

        Your user signs up and upgrade using link

        Step 3

        Get $10

        1,250 free SMSes
        OR 1,000 free voice mins
        OR 12,000 chats
        OR more