SPF: Sender Policy Framework

Email and Webmail | Updated March 2026

SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which servers are authorized to send email for your domain. Without SPF, anyone can send email pretending to be from your domain, and receiving servers have no way to verify the claim. Setting up SPF correctly improves your email deliverability and protects your domain from spoofing.

In This Guide
  1. What Is SPF?
  2. How SPF Works
  3. SPF Record Syntax
  4. Setting Up SPF in cPanel
  5. Common SPF Records
  6. Verifying Your SPF Record
  7. Troubleshooting SPF Failures
Most Common Fix

Ultra Web Hosting Default SPF Record

If you host your email with Ultra Web Hosting and use our mail servers, this is the SPF record you need:

v=spf1 +a +mx +ip4:YOUR_SERVER_IP include:_spf.ultrawebhosting.com ~all

You can find and set this automatically in cPanel → EmailEmail Deliverability. Click “Manage” next to your domain and cPanel will suggest the correct SPF record.

01. What Is SPF?

Sender Policy Framework (SPF) is an email authentication standard defined in RFC 7208. It works by publishing a DNS TXT record that lists every IP address and mail server authorized to send email on behalf of your domain.

When someone receives an email claiming to be from you@yourdomain.com, their mail server looks up the SPF record for yourdomain.com. If the sending server’s IP address matches one of the authorized sources in the SPF record, the email passes SPF. If not, the receiving server knows the email may be forged.

SPF is one of three email authentication standards (alongside DKIM and DMARC) that work together to protect your domain and improve deliverability. As of 2024, Google and Yahoo require SPF for all senders — emails without SPF are more likely to be rejected or sent to spam.

02. How SPF Works

  1. You publish an SPF record as a DNS TXT record for your domain. This record lists the IP addresses and servers allowed to send email for your domain.
  2. You send an email. Your mail server connects to the recipient’s mail server and sends the message.
  3. The recipient’s server checks SPF. It looks at the envelope sender (the MAIL FROM address in the SMTP transaction, also called the Return-Path) and queries the DNS for an SPF record on that domain.
  4. The server compares the sending IP against the list of authorized sources in the SPF record.
  5. The result is passed or failed. Based on the result, the receiving server may accept, flag, or reject the email.
Important: SPF checks the envelope sender (Return-Path / MAIL FROM), not the “From” address that users see in their email client. This is why SPF alone cannot fully prevent spoofing of the visible “From” address — you need DMARC for that.

03. SPF Record Syntax

An SPF record is a single DNS TXT record that starts with v=spf1 and contains one or more mechanisms. Here is what each part means:

v=spf1 — required. Identifies this as an SPF record (version 1).

Mechanisms (the sources you authorize):

  • a — authorize the IP address(es) in the domain’s A record
  • mx — authorize the IP address(es) of the domain’s MX (mail exchange) servers
  • ip4:203.0.113.5 — authorize a specific IPv4 address
  • ip4:203.0.113.0/24 — authorize an entire IPv4 range (CIDR notation)
  • ip6:2001:db8::1 — authorize a specific IPv6 address
  • include:_spf.google.com — include another domain’s SPF record (used for third-party services like Google Workspace, Microsoft 365, Mailchimp, etc.)

Qualifiers (what to do with matches):

  • + (pass) — allow the source (default if no qualifier is specified)
  • - (hard fail) — reject email from unauthorized sources
  • ~ (soft fail) — accept but mark email from unauthorized sources (recommended while setting up)
  • ? (neutral) — no opinion, treat as if no SPF exists for this source

all — the catch-all mechanism at the end. It defines what happens to any source not explicitly listed. Common endings:

  • ~all — soft fail for unlisted sources (recommended for most setups)
  • -all — hard fail for unlisted sources (strictest, use once you are confident your record is complete)

Example record:

v=spf1 +a +mx ip4:203.0.113.5 include:_spf.google.com ~all

This record authorizes the domain’s A record IP, its MX servers, the IP 203.0.113.5, and Google Workspace’s mail servers. Everything else gets a soft fail.

10-lookup limit: SPF records are limited to 10 DNS lookups. Each include, a, mx, and redirect mechanism counts as a lookup. If your record exceeds 10 lookups, SPF will return a permanent error (PermError) and fail for all messages. Use our SPF Lookup Tool to check your lookup count.

04. Setting Up SPF in cPanel

  1. Log in to cPanel and go to EmailEmail Deliverability.
  2. Click “Manage” next to the domain you want to configure.
  3. cPanel will show you the current SPF record and suggest a corrected version if issues are detected.
  4. Click “Install the Suggested Record” to apply the recommended SPF record, or click “Customize” to edit manually.
  5. If you need to add a third-party service (Google Workspace, Mailchimp, SendGrid, etc.), add their include: to the record.

Alternatively, you can edit the SPF record directly in cPanel → DomainsZone Editor. Find the existing TXT record for your domain that starts with v=spf1 and edit it, or add a new TXT record if none exists.

One SPF record per domain. You must have exactly one SPF TXT record per domain. If you have multiple SPF records, both will fail. Combine all authorized sources into a single record.

05. Common SPF Records

Ultra Web Hosting only (email hosted with us):

v=spf1 +a +mx ~all

Ultra Web Hosting + Google Workspace:

v=spf1 +a +mx include:_spf.google.com ~all

Ultra Web Hosting + Microsoft 365:

v=spf1 +a +mx include:spf.protection.outlook.com ~all

Ultra Web Hosting + Mailchimp:

v=spf1 +a +mx include:servers.mcsv.net ~all

Ultra Web Hosting + SendGrid:

v=spf1 +a +mx include:sendgrid.net ~all

Multiple services combined:

v=spf1 +a +mx include:_spf.google.com include:servers.mcsv.net ~all
Need to build an SPF record? Use our SPF Record Generator to create a correctly formatted record for your domain with any combination of services.

06. Verifying Your SPF Record

After setting up your SPF record, verify that it is correctly published and formatted:

Ultra Web Hosting SPF Lookup Tool: Enter your domain at tools.ultrawebhosting.com/spf-lookup to see your published SPF record, check the DNS lookup count, and identify any syntax errors.

cPanel Email Deliverability: In cPanel → Email → Email Deliverability, click “Manage” next to your domain. cPanel will flag any SPF issues with a warning icon.

Send a test email: Send an email to a Gmail or Outlook account and check the email headers. Look for spf=pass in the Authentication-Results header. In Gmail, click the three dots on a message → “Show original” to view headers.

Command line: Use dig or nslookup to query the TXT record directly:

dig TXT yourdomain.com +short

07. Troubleshooting SPF Failures

  1. SPF soft fail (~all) in headers. The sending IP is not listed in your SPF record. Add the missing IP or include: for the service that sent the email. Use the SPF Lookup Tool to review your record.
  2. SPF hard fail (-all). Same as above, but stricter. If you switched to -all before adding all legitimate sending sources, emails from those sources will be rejected. Switch back to ~all while troubleshooting.
  3. PermError: too many DNS lookups. Your SPF record exceeds the 10-lookup limit. Reduce include: mechanisms by replacing them with direct ip4: entries where possible, or use an SPF flattening service.
  4. Multiple SPF records found. You have more than one TXT record starting with v=spf1. Delete the duplicate and combine all sources into a single record.
  5. Email forwarding breaks SPF. When email is forwarded, the sending IP changes to the forwarding server, which is not in your SPF record. This is a known SPF limitation — DKIM and DMARC help cover this gap because DKIM signatures survive forwarding.
  6. Third-party service emails going to spam. If you use a service like Mailchimp, SendGrid, or a CRM to send email from your domain, you must add their include: to your SPF record. Check the service’s documentation for the correct value.

SPF Tools

Use our free tools to look up, verify, and generate SPF records for your domain:

SPF Lookup Tool SPF Record Generator

Quick Recap: SPF Setup

  1. Check your current record with the SPF Lookup Tool
  2. Set up SPF in cPanel → Email → Email Deliverability → Manage
  3. Add include: entries for any third-party services that send email from your domain
  4. Keep it under 10 DNS lookups — check with the lookup tool
  5. One SPF record per domain — combine everything into a single TXT record

Last updated March 2026 · Browse Email articles · See also: SPF Lookup · SPF Generator

  • 0 Users Found This Useful

Was this answer helpful?

Related Articles

What is the path to sendmail?

Email & Webmail | Updated 2026 The path to sendmail on Ultra Web Hosting servers is...

How to Set Up Google Workspace Email With Your Domain

Email & Webmail | Updated March 2026 Google Workspace (formerly G Suite) lets you use...

Emails Bouncing Back

Email & Webmail | Updated March 2026 When an email bounces, you receive a delivery...

Email Troubleshooting Guide

Email & Webmail | Updated March 2026 Email problems are the most common support...

Unable to log into Webmail

Email & Webmail | Updated 2026 If you cannot log into webmail at...



Save 30% on web hosting - Use coupon code Hosting30