Blog article

How to build an SPF record overview:
v=spf1-all record, or attackers can use them to send phishing emails.Suppose your SPF record validates cleanly in every testing tool you run, yet a subset of your legitimate transactional emails are still failing authentication. The record syntax is correct. The TXT record was published without error. And still, authentication fails for a specific sending service – one that was added to the environment six months after the record was originally built.
This is not a syntax problem. It is an architectural one. Building an SPF record that holds up at enterprise scale means accounting for how your business actually sends email: From which services and domains, and on behalf of which teams.
For a single-domain, three-sender environment, most SPF guides are adequate. For a large enterprise, they’re a starting point at best. The problems that compound at scale – lookup-limit violations, undocumented sender accumulation, and subdomain gaps – are rarely covered in depth. This guide addresses all of them.
Before you start: If you want to see where your current SPF posture stands, check your SPF policy to review exactly what receiving servers evaluate when your email arrives.
Most SPF guides on how to build an SPF record stop at record structure. They explain include mechanisms, the difference between ~all and -all , and how to add a sending IP. For a complex enterprise environment, that knowledge is necessary but not sufficient.
Enterprise environments typically route email through a mix of platforms: A core server, a marketing automation tool, a transactional notification service, an HR platform, a payroll system, and occasionally a third-party partner sending on the company’s behalf. Each of these may require its own include reference in the SPF record.
A record configured for two senders quickly becomes outdated as sender inventory grows.
The immediate risk is deliverability: Unauthenticated emails that fail SPF land in Spam folders or get rejected outright. The downstream risk is more significant. SPF failures directly undermine your ability to move to DMARC enforcement.
When you build an SPF record, you must first complete a sender inventory. The sequence matters. If you start with the record, you will anchor the build around what you know and miss what you don’t.
A sender inventory should document four things for every domain in your portfolio: The services sending email, their required IP ranges or include references, the teams that own each sender relationship, and the last review date for active use.
No sender inventory means no reliable foundation to build an SPF record.
Enterprise environments accumulate senders. A CRM platform from a previous vendor may still have an include reference in your record long after the contract ended. That entry is consuming one of your 10 DNS lookup slots and contributing no authentication value. A thorough inventory eliminates that waste before you publish anything.
Understanding lookup limits is essential before you build an SPF record.
SPF imposes a hard limit of 10 DNS lookups during record evaluation. Each include, a, mx, and exists mechanism counts toward that limit. When a record exceeds 10 lookups, the evaluation returns a PermError result, which receiving servers treat as an SPF failure.
The problem compounds at scale. Large organizations often inherit additional include mechanisms from third-party senders. A single include reference pointing to a major email service provider can trigger two or three additional DNS lookups. By the time all the mechanisms resolve, a record that looks small on the surface may be consuming eight or nine lookups.
SPF flattening is the standard mitigation. Flattening resolves the IP addresses behind your include references and replaces them with static ip4 and ip6 entries. The trade-off is maintenance: When your sending services rotate IP ranges, your flattened record becomes stale.
The operational answer to that trade-off is automation. Manual flattening creates a point-in-time record that drifts. Automated flattening monitors changes in upstream IP ranges and updates the record accordingly. For enterprises managing multiple domains, manual maintenance of flattened records across the portfolio isn’t a realistic ongoing process.
Enterprises rarely send from a single domain. A typical portfolio includes a primary corporate domain, regional or country-specific domains, product line domains, and subdomains used for specific functions – notifications, billing, marketing. Each of these requires its own SPF record if it’s used to send email.
Non-sending subdomains require explicit records. A subdomain without an SPF record isn’t neutral – it’s exploitable. Attackers can use unprotected subdomains to send phishing emails that pass basic domain checks. The correct posture for non-sending subdomains is an explicit v=spf1-all record.
For subdomains that do send, the SPF record should reflect only the senders relevant to that subdomain’s function. Subdomains often have a narrower sending scope, and a more specific record limits the attack surface and reduces lookup count.
How you build an SPF record determines how far you can advance your DMARC policy.
For DMARC to pass, either SPF or DKIM must align with the “From” domain. SPF alignment requires that the envelope sender domain – the Return-Path – matches the “From” domain. This means a sending service that uses its own Return-Path domain (which is common) won’t provide SPF alignment.
DMARC will only pass for those messages if DKIM alignment is present. When building your SPF record, map out which senders provide SPF alignment and which rely on DKIM. That mapping directly informs your path to enforcement.
Governance defines who has authority to build an SPF record, modify it, and approve changes.
For many businesses, SPF record ownership is ambiguous. IT built the original record. Marketing added senders without documentation. A third-party vendor requested an include reference through a support ticket that no one reviewed against the existing record structure. The result is a record that reflects years of undocumented additions and no clear accountability.
Audit and compliance teams are increasingly interested in email authentication as a control. Questions about who can modify DNS records, what the review and approval process looks like, and how changes are tested before deployment are reasonable governance questions – and most enterprises can’t answer them.
Clear ownership means designating one team as responsible for SPF policy across each domain in the portfolio. Changes should follow a defined process: Request, review against the current lookup count and sender inventory, test in a staging environment where possible, and deploy with a documented rollback plan.
For enterprises with change advisory boards, SPF record modifications should be treated as a DNS change – requiring standard approval.
Documentation is the audit trail. Every include reference in the record should map to a named service, an owner, and a date of last review.
Managing SPF across a multi-domain enterprise portfolio is an ongoing operational burden: Tracking sender additions, monitoring lookup counts, maintaining flattened records as sending services update their infrastructure, and keeping an audit trail that compliance teams can rely on.
Sendmarc automates SPF flattening so that IP changes in upstream sending services don’t introduce authentication failures. The platform provides visibility across your full domain portfolio, so gaps and unauthorized senders surface before they become delivery or security incidents. Change tracking within the platform supports the governance documentation that audit and risk teams require.
Sendmarc gives you the tooling and visibility to build an SPF record that holds up as your environment evolves.