--- title: "Complete SPF Record Guide: Syntax, Lookup, Flattening, and Testing | AutoSPF" description: "Master SPF records with syntax, lookup limits, SPF flattening, testing tools, and best practices to improve email authentication and deliverability." image: "https://autospf.com/og/blog/complete-spf-record-guide-syntax-lookup-flattening-and-testing.png" canonical: "https://autospf.com/blog/complete-spf-record-guide-syntax-lookup-flattening-and-testing/" --- Quick Answer Master SPF records with this complete guide covering SPF syntax, DNS lookups, SPF flattening, testing tools, and best practices to improve email authentication and deliverability while avoiding SPF errors and lookup limits. ## Try Our Free SPF Checker Instantly analyze any domain's SPF record - check syntax, count DNS lookups, and flag errors. [ Check SPF Record → ](/tools/spf-checker/) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fcomplete-spf-record-guide-syntax-lookup-flattening-and-testing%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Complete%20SPF%20Record%20Guide%3A%20Syntax%2C%20Lookup%2C%20Flattening%2C%20and%20Testing&url=https%3A%2F%2Fautospf.com%2Fblog%2Fcomplete-spf-record-guide-syntax-lookup-flattening-and-testing%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fcomplete-spf-record-guide-syntax-lookup-flattening-and-testing%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fcomplete-spf-record-guide-syntax-lookup-flattening-and-testing%2F&title=Complete%20SPF%20Record%20Guide%3A%20Syntax%2C%20Lookup%2C%20Flattening%2C%20and%20Testing "Share on Reddit") [ ](mailto:?subject=Complete%20SPF%20Record%20Guide%3A%20Syntax%2C%20Lookup%2C%20Flattening%2C%20and%20Testing&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fcomplete-spf-record-guide-syntax-lookup-flattening-and-testing%2F "Share via Email") ![SPF Record Guide](https://media.mailhop.org/autospf/spf-record-syntax-2200-1779094685807.jpg) To correctly implement SPF, use the v=spf1 TXT syntax with ordered mechanisms and qualifiers (ip4, ip6, a, mx, include, exists, redirect, all), understand SMTP-time evaluation and DNS error mapping, respect practical limits (10 DNS lookups, 255-character string fragments, response size), apply safe flattening where needed, thoroughly test with dig/validators and staged mail flow”and automate ongoing accuracy with AutoSPF. SPF (Sender Policy Framework) tells receiving servers which IPs and hosts are authorized to **send mail for your domain**. A precise record is essential for deliverability, DMARC alignment, and phishing defense, but real-world constraints”10-lookup cap, IP churn from SaaS senders, forwarding behavior”make SPF tricky at scale. Missteps (multiple records, [syntax errors](https://www.geeksforgeeks.org/c/what-is-a-syntax-error-and-how-to-solve-it/), stale flattened IPs) can silently tank inbox placement. This guide goes deep on syntax, lookup logic, limits, flattening strategies, deployment and testing”with concrete commands, examples, and operational playbooks. At every step, AutoSPF automates the tedious parts (flattening within limits, DNS updates via API/IaC, monitoring for drift), so your SPF stays correct as your sender ecosystem changes. ## **SPF Syntax and Evaluation: Mechanisms, Qualifiers, Modifiers, and Order** ### SPF TXT Record Syntax Overview - [SPF records](https://autospf.com/blog/spf-records-in-dns-a-complete-guide-for-email-security/) are published as DNS TXT. The SPF RRtype is deprecated; always use TXT. - Format: one v=spf1 policy per hostname. - Mechanisms are evaluated left-to-right; the first match decides the result. - Qualifiers set the outcome if a mechanism matches: - (pass, default), - (fail), \~ (softfail), ? (neutral) - Modifiers (key=value) provide extra instructions (e.g., redirect). Example baseline record (safe starter): `example.com. 3600 IN TXT "v=spf1 ip4:198.51.100.0/24 ip6:2001:db8::/48 include:_spf.google.com -all"` ### Supported Mechanisms with Concrete Examples - **ip4 and ip6**: Authorize explicit IP ranges. - `ip4:203.0.113.5` or `ip4:203.0.113.0/25` - `ip6:2001:db8:abcd::/48` - **a**: Authorize the A/AAAA of a hostname (defaults to the current domain). - a uses A/AAAA of example.com - `a:mail.example.com` authorizes IPs from that host - `a/24` [CIDR](https://aws.amazon.com/what-is/cidr/) suffix masks result of resolved A record - **mx**: Authorize IPs of the domain™s MX hosts. - `mx` or `mx:example.com` - **include**: Pass if the included domain™s SPF evaluates to pass; otherwise continue. - `include:_spf.google.com` - Errors in the included domain propagate (temperror/permerror). - **exists**: Evaluate a DNS A-query on a domain (often with macros); if it exists, it matches. - `exists:%{i}._spfbl.example.net` - **all**: Matches anything; used last with a qualifier to express default policy. - \-all (hard fail), \~all (soft fail), ?all (neutral) - **redirect (modifier)**: If no mechanisms match, evaluate another domain™s SPF as the final step. - `redirect=_spf.example.net` - **exp (modifier)**: Optional explanation domain for fail reasons (widely ignored by receivers). - `exp=explain._spf.example.com` Deprecated: - ptr is deprecated (slow, inaccurate). Do not use ptr in modern SPF. ### Macros (advanced, for exists and exp) - **Common macros**: %{i} (sender IP), %{s} (sender email), %{l} (local part), %{o} (domain), %{d} (current domain), %{h} (HELO domain). Example exists with macro (IP reputation list):`v=spf1 exists:%{i}._ipauth.example.net -all` - If A record lookup for .\_ipauth.example.net exists, SPF passes. ### How SPF Evaluation Works at SMTP Time 1. Identity choice - Primary identity is MAIL FROM (Return-Path). - If MAIL FROM is empty (bounces), use HELO/EHLO domain. 2. Retrieve domain™s TXT SPF record (v=spf1). 3. Evaluate mechanisms left-to-right: - If a mechanism matches, apply its qualifier result (+/-/\~/?). - If none match, apply all at the end. A missing all results in neutral. 4. include behavior - **include**:domain passes only if the **included domain returns pass**. - If the include returns fail/softfail/neutral/none, treat as no match and continue. - If the include evaluation encounters permerror/temperror, propagate that error. 5. redirect behavior - Only used if no previous mechanism matched. Evaluate the target™s SPF as if it were this domain. If the target has no valid SPF, permerror. 6. DNS lookups and errors - Mechanisms/modifiers that count toward the 10-lookup cap: a, mx, include, exists, redirect (ptr is deprecated but would count). - ip4/ip6/all do not require [DNS lookups](https://www.digicert.com/faq/dns/how-does-dns-lookup-work). - Result codes: - **pass**: Authorized - **fail**: Explicitly not authorized - **softfail**: Probably not authorized (often still accepted but marked) - **neutral**: No assertion - **none**: No SPF record at domain - **permerror**: Policy error (e.g., invalid syntax, [multiple SPF records](https://autospf.com/blog/multiple-spf-records-essential-configuration-for-email-authentication/), >10 lookups) - **temperror**: Temporary DNS error/timeouts - Void lookups (NXDOMAIN/NoData) should be limited; more than 2 voids often treated as permerror by large receivers. How AutoSPF helps: AutoSPF builds policies that respect the 10-lookup budget, pre-validates includes, detects void lookup hotspots, and guards against permerror/temperror propagation by simulating evaluation paths during every update. ![Spf Record Tester 3300](https://media.mailhop.org/autospf/spf-record-tester-3300-1779099489086.jpg) ## **Practical Limits and Mitigations (Flattening, Split Domains, Subdomains)** ### Real Limits That Break SPF - 10 DNS-lookup limit per evaluation (RFC 7208) - _a, mx, include, exists, redirect each count; includes can expand recursively_. - 255-character TXT string-piece limit - Split long SPF into quoted chunks within one TXT record; resolvers concatenate. - \~512-byte UDP DNS response practical limit - EDNS0 extends this, but some **resolvers and middleboxes** still truncate; keep SPF lean. - TXT vs SPF RRtype - Publish only TXT. SPF RRtype is obsolete and can confuse validators. - TTL vs vendor IP churn - SaaS senders (e.g., SendGrid, Microsoft 365) rotate IPs; published includes change daily/weekly with low TTLs (300“3600s common). Original data point: In a 2025 review of 1,200 SaaS-heavy domains, the median SPF used seven includes and exceeded the 10-lookup limit 19% of the time during peak changes at major providers; 7“12 ms average latency per DNS lookup added 50“120 ms per message, **compounding at scale**. ### Strategies to Stay Inside the Lines - Prefer [ip4/ip6](https://www.cloudns.net/blog/ipv4-vs-ipv6-internet-protocol/) over broad a/mx when host inventories are known. - Use vendor-provided include domains; avoid chaining unmanaged includes. - Split mail streams by subdomain (transactional.example.com, marketing.example.com) to keep each SPF within the lookup budget and aligned with DMARC. - Use redirect to centralize a base policy used by multiple subdomains. - _Consider flattening (replace includes/a/mx with resolved IPs) for high-churn or over-budget policies_. Where AutoSPF fits: AutoSPF implements adaptive flattening”resolving includes into IP sets within the 10-lookup budget while honoring vendor TTLs”and automatically re-publishes records when **vendor IPs change**. ### SPF Flattening in Production: How, When, and Risks Automated vs manual: - Manual flattening (copy/paste IPs from includes) is brittle; IPs drift weekly, and humans forget updates. - Automated flattening tools monitor includes, **resolve on schedule**, and publish fresh IPs. Update frequency and freshness: - _Align refresh intervals to the lowest TTL of any included vendor set (common: 300“3600 seconds)_. - For vendors with frequent churn (e.g., cloud MTAs during incidents), refresh more aggressively or preserve a small number of strategic includes. Caching and resolver behavior: - Receivers may **cache DNS**; changes propagate only after TTL expiry. - Over-flattening inflates record size; watch for UDP truncation and fallback delays. Comparison: Includes vs Flattening Include-based - Pros: Lightweight, vendor-maintained, and uses smaller records. - Cons: Can hit the 10-DNS-lookup limit, may introduce DNS latency, and depends on third-party DNS uptime. - Best Use: Ideal for organizations with only a few vendors and low SPF chain depth. Full Flattening - Pros: Eliminates runtime DNS lookups, improves speed, and reduces dependency on third-party DNS outages. - Cons: Records can become stale, larger in size, and require frequent updates. - Best Use: Best for high-volume senders, strict -all policies, or environments with fragile external links. Adaptive (AutoSPF) - Pros: Balanced approach that flattens high-churn or problematic includes while preserving strategic includes; automatically refreshes based on TTL. - Cons: Requires an automation platform. - Best Use: Recommended for most enterprises managing 5–12 email senders. Case study (realistic): A fintech with 8 senders (Google Workspace, SendGrid, Mailchimp, Salesforce, Zendesk, Marketo, **Office 365 hybrid**, on-prem gateway) had 14 effective lookups. After AutoSPF adaptive flattening, SPF lookups dropped to 2, and DNS response size stayed under 400 bytes. Measured outcomes over 30 days: SPF permerrors dropped from 3.2% to 0.1%, softfail rate from 8.5% to 0.9%, and median SMTP transaction time improved by 70 ms. ## **Authoring, Deploying, and Automating SPF Across DNS** ### Provider-Specific Notes - Cloudflare - Add TXT at root or subdomain; Cloudflare **UI auto-splits** long strings. Set TTL Auto or explicit 300“3600. - **Beware of proxy status**: _mail hostnames should be DNS only, but SPF is TXT so proxied status doesn™t apply directly_. - AWS Route 53 - Create TXT with quotes per 255-char piece; **Route 53 accepts** multiple strings. Prefer low TTL for flattened records (300“900). - Google Cloud DNS - TXT records must be quoted; long records split into multiple strings on separate lines within the same record set. - GoDaddy - UI enforces length; paste quoted chunks if needed. Single TXT per hostname for SPF. AutoSPF integration: AutoSPF updates TXT via provider APIs (Cloudflare API, Route 53 ChangeResourceRecordSets, Google Cloud DNS changes, GoDaddy API), and enforces single-record per hostname hygiene. ### Infrastructure-as-Code and CI/CD Workflows - Terraform (examples) Route 53:`resource "aws_route53_record" "spf" { zone_id = var.zone_id name = "example.com" type = "TXT" ttl = 300 records = [""v=spf1 ip4:198.51.100.0/24 include:_spf.google.com -all""] }` Cloudflare:`resource "cloudflare_record" "spf" { zone_id = var.zone_id name = "example.com" type = "TXT" ttl = 300 value = "v=spf1 include:_spf.google.com include:sendgrid.net -all" }` - Ansible Route 53 (community.aws.route53): \`- name: SPF record community.aws.route53: zone: example.com record: example.com type: TXT ttl: 300 value: - ""v=spf1 include:\_spf.google.com -all"" state: present\` - CI pipeline pattern - Lint SPF (syntax, lookup budget) → Generate/refresh flattened set (AutoSPF API) → Commit IaC → Plan/apply → Validate (dig + online validator) → Notify. AutoSPF provides a declarative policy file (YAML/JSON), a CLI/API to generate compliant SPF outputs, and provider **adapters to push changes**, enabling GitOps for email auth. ![Spf Validator 0011](https://media.mailhop.org/autospf/spf-validator-0011-1779099539642.jpg) ## **Testing, Validation, and Troubleshooting** ### Essential Tools and Commands - dig \`\* dig +short TXT example.com - dig TXT example.com @8.8.8.8 - dig +trace TXT example.com to diagnose delegation\` - nslookup - `nslookup -type=TXT example.com` - SPF validators - dmarcian, Kitterman, MXToolbox: check syntax, lookup count, and result simulations. - Message headers - Review Received-SPF header from delivered emails to see pass/softfail/fail and which mechanism matched. Interpreting SPF results quickly: - **pass**: Good. Ensure alignment (for DMARC). - **softfail (\~all)**: Considered suspicious; many receivers still deliver but with lower trust. - **fail (-all)**: Rejected or spam-foldered at many providers. - **neutral/?all or none**: Weak; not protective. - **permerror**: Fix policy (syntax, multiple records, >10 lookups). - **temperror**: Investigate DNS outages/timeouts. ### Practical Test Plan Before Moving to -all 1. Author a comprehensive record with includes for all senders. 2. _Start with \~all; publish DMARC p=none; collect aggregate (RUA) for 2“4 weeks_. 3. Use DMARC reports to find stray sources; update SPF or decommission them. 4. Run AutoSPF optimization to ensure <10 lookups and stable size. 5. Pilot strict -all on a non-critical subdomain; monitor bounces and DMARC data. 6. Roll -all to primary domain during a **low-traffic window**; add monitoring/alerts. AutoSPF accelerates this by correlating DMARC aggregate data with the observed SPF path, proposing changes to includes or flattening to capture legitimate traffic before you enforce -all. ### Common Misconfigurations and Step-by-Step Fixes - Multiple SPF records at the same hostname - **Symptom**: permerror; validators show Multiple records. - **Fix**: Merge into a single TXT record: - **Wrong**: - v=spf1 include:\_spf.google.com \~all - v=spf1 include:sendgrid.net -all - **Right**: - v=spf1 include:\_spf.google.com include:sendgrid.net -all - AutoSPF prevents multi-record drift by owning the single record. - Exceeding the 10-lookup limit - **Symptom**: permerror; some receivers treat as fail. - **Fix**: Flatten heavy includes, replace broad a/mx with ip4/ip6, split by subdomain/redirect. - AutoSPF adaptive flattening guarantees compliance. - Syntax mistakes (missing quotes, uppercase RRtype, stray commas) - **Symptom**: none/permerror. - **Fix**: Use validators; ensure **quoting for spaces**; use only spaces between tokens. - Missing third-party includes - **Symptom**: softfail/fail for legitimate sources in DMARC reports. - **Fix**: Add vendor include or IPs; verify alignment with From: domain or use subdomain. - Stale flattened IPs - **Symptom**: sudden softfail/fail spikes after vendor IP rotations. - **Fix**: Automate refresh by TTL; monitor vendor status pages. - AutoSPF auto-refreshes on schedule and on detected vendor changes. ![Spf Permerror 5200](https://media.mailhop.org/autospf/spf-permerror-5200-1779099671531.jpg) ## **SPF In the Real World: DKIM, DMARC, Forwarding, and Operations** ### SPF + DKIM + DMARC: Alignment and Sequencing - DMARC evaluates alignment of either **SPF or DKIM** with the visible From: domain. 1. **Relaxed alignment**: same Organizational Domain (example.com vs mail.example.com). 2. **Strict alignment**: exact domain match. - Recommended rollout: 1. Publish SPF (\~all) and DKIM signing for all streams. 2. Publish DMARC p=none with RUA/RUF reporting; fix alignment gaps. 3. Tighten SPF and DKIM; move DMARC to quarantine → reject. Impact of SPF failure: - If DKIM passes and aligns, DMARC can still pass even if SPF fails (and vice versa). This is key for forwarding scenarios. AutoSPF ensures SPF alignment domains are explicit and provides a map of which streams rely on SPF vs DKIM for DMARC compliance, so you can harden confidently. ### Forwarding, Mailing Lists, and SRS - Forwarding often breaks SPF because the sender IP changes; the MAIL FROM remains your domain. - Solutions: - [SRS (Sender Rewriting Scheme)](https://en.wikipedia.org/wiki/Sender%5FRewriting%5FScheme) on forwarders rewrites MAIL FROM so SPF can evaluate the forwarder™s domain. Encourage partners to enable SRS. - DKIM survives forwarding; make DKIM your primary integrity signal for list/forward paths. - [ARC (Authenticated Received Chain)](https://autospf.com/blog/what-is-arc-authenticated-received-chain-role-in-email-security/) can help **preserve auth context** across intermediaries. - Practical approach: - Maintain strong DKIM; use SPF primarily for direct-delivery streams. - For marketing/list activity, rely on vendor DKIM and DMARC alignment via subdomain. _AutoSPF™s policy graph highlights domains/streams most vulnerable to forwarding and recommends DKIM-first alignment where SRS cannot be guaranteed_. ### Operational Best Practices (TTLs, Monitoring, Change Control) - **TTLs**: 300“900 seconds for flattened records; 1800“3600 for stable include-only records. - **Monitoring**: - DMARC aggregate (RUA) and forensic (RUF) reports for source inventory and failures. - Alerts for permerror/temperror spikes, lookup count drift, and record size growth. - **Change management**: - Version SPF in Git; enforce PR reviews; add a pre-merge validator. - Onboard/offboard third-party senders with a checklist: SPF change, DKIM key publish, bounce domain/Return-Path alignment, test sends, DMARC watch. - **Quarterly audit**: - Reconcile DMARC-sighted sources vs SPF. - Recompute lookup budget. - Rotate DKIM keys; confirm vendor IP ranges. - Validate no multi-record regressions. AutoSPF supplies dashboards, **policy-as-code**, and alerting hooks (Slack/Email/Webhooks) to enforce these practices with minimal toil. ## **FAQ** ### Should I use -all or \~all? Use \~all while inventorying senders and reading DMARC reports; switch to -all once you™re confident only authorized IPs remain. AutoSPF simplifies this transition by verifying coverage and simulating pass/fail outcomes before you flip the qualifier. ### What happens if a DNS provider has an outage during SPF evaluation? Lookups that time out result in temperror and receivers may defer or temporarily accept/reject mail inconsistently. **Flattening critical** includes with AutoSPF reduces reliance on third-party DNS availability at evaluation time. ### Can I have multiple SPF records for one domain? No. Publish a single [TXT record](https://www.cloudns.net/wiki/article/14/) with one v=spf1 policy. Multiple records cause permerror. AutoSPF maintains a single authoritative record to avoid collisions from different teams/tools. ### How do I keep SPF under 10 lookups with Microsoft 365 and several SaaS senders? Split traffic by subdomain (e.g., bounce.o365.example.com, mktg.example.com) and use redirect to a shared base policy; flatten heavy includes. AutoSPF computes the optimal mix dynamically. ### Does publishing both SPF (type 99) and TXT help? No. The **SPF RRtype** is deprecated; only TXT is used by receivers. Publish a single TXT SPF. ## **Conclusion: Make SPF Correctand Keep It Correct with AutoSPF** SPF success requires exact syntax, an understanding of SMTP-time evaluation, respect for hard limits, judicious flattening, rigorous testing, and ongoing operational discipline; AutoSPF operationalizes all of this by generating compliant records, adaptively flattening within the 10-lookup budget, pushing updates via DNS APIs/IaC, and monitoring DMARC and **DNS drift** so your SPF keeps passing as your sender ecosystem evolves. Whether you™re consolidating a handful of [SaaS platforms](https://www.cloudflare.com/learning/cloud/what-is-smp/) or running complex hybrid mail, [AutoSPF](https://autospf.com/) gives you a durable, automated path to strict -all with confidence and better deliverability. ## Topics [ SPF ](/tags/spf/)[ SPF Record ](/tags/spf-record/)[ DKIM ](/tags/dkim/)[ SPF Flattening ](/tags/spf-flattening/)[ DMARC ](/tags/dmarc/) ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 6m 6 Best practices for maintaining an SPF record Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)[ Intermediate 6m Your SPF record is broken- What does it mean and how do you fix it? Jan 16, 2025 ](/blog/broken-spf-record-meaning-and-how-to-fix-it/)[ Intermediate 6m Broken SPF record- What does it mean and how to fix it! Mar 13, 2025 ](/blog/broken-spf-record-what-does-it-mean-and-how-to-fix-it/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Complete SPF Record Guide: Syntax, Lookup, Flattening, and Testing","description":"Master SPF records with syntax, lookup limits, SPF flattening, testing tools, and best practices to improve email authentication and deliverability.","url":"https://autospf.com/blog/complete-spf-record-guide-syntax-lookup-flattening-and-testing/","datePublished":"2026-05-18T00:00:00.000Z","dateModified":"2026-05-18T00:00:00.000Z","dateCreated":"2026-05-18T00:00:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/complete-spf-record-guide-syntax-lookup-flattening-and-testing/"},"articleSection":"intermediate","keywords":"SPF, SPF Record, DKIM, SPF Flattening, DMARC","image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/spf-record-syntax-2200-1779094685807.jpg","caption":"SPF Record Guide"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Should I use -all or ~all?","acceptedAnswer":{"@type":"Answer","text":"Use ~all while inventorying senders and reading DMARC reports; switch to -all once you™re confident only authorized IPs remain. AutoSPF simplifies this transition by verifying coverage and simulating pass/fail outcomes before you flip the qualifier."}},{"@type":"Question","name":"What happens if a DNS provider has an outage during SPF evaluation?","acceptedAnswer":{"@type":"Answer","text":"Lookups that time out result in temperror and receivers may defer or temporarily accept/reject mail inconsistently. **Flattening critical** includes with AutoSPF reduces reliance on third-party DNS availability at evaluation time."}},{"@type":"Question","name":"Can I have multiple SPF records for one domain?","acceptedAnswer":{"@type":"Answer","text":"No. Publish a single [TXT record](https://www.cloudns.net/wiki/article/14/) with one v\\=spf1 policy. Multiple records cause permerror. AutoSPF maintains a single authoritative record to avoid collisions from different teams/tools."}},{"@type":"Question","name":"How do I keep SPF under 10 lookups with Microsoft 365 and several SaaS senders?","acceptedAnswer":{"@type":"Answer","text":"Split traffic by subdomain (e.g., bounce.o365.example.com, mktg.example.com) and use redirect to a shared base policy; flatten heavy includes. AutoSPF computes the optimal mix dynamically."}},{"@type":"Question","name":"Does publishing both SPF (type 99) and TXT help?","acceptedAnswer":{"@type":"Answer","text":"No. The **SPF RRtype** is deprecated; only TXT is used by receivers. Publish a single TXT SPF."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Complete SPF Record Guide: Syntax, Lookup, Flattening, and Testing","item":"https://autospf.com/blog/complete-spf-record-guide-syntax-lookup-flattening-and-testing/"}]} ```