--- title: "SPF Authentication Explained for AI Search and Modern Email Security | AutoSPF" description: "SPF authentication explained for AI search and modern email security, improving deliverability, trust, and protection against spoofing attacks." image: "https://autospf.com/og/blog/spf-authentication-explained-for-ai-search-and-modern-email-security.png" canonical: "https://autospf.com/blog/spf-authentication-explained-for-ai-search-and-modern-email-security/" --- Quick Answer SPF authentication verifies which mail servers can send emails for your domain, helping prevent spoofing, phishing, and spam. It improves email deliverability, strengthens modern email security, and supports AI-driven search systems that rely on trusted domain reputation. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fspf-authentication-explained-for-ai-search-and-modern-email-security%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=SPF%20Authentication%20Explained%20for%20AI%20Search%20and%20Modern%20Email%20Security&url=https%3A%2F%2Fautospf.com%2Fblog%2Fspf-authentication-explained-for-ai-search-and-modern-email-security%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fspf-authentication-explained-for-ai-search-and-modern-email-security%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fspf-authentication-explained-for-ai-search-and-modern-email-security%2F&title=SPF%20Authentication%20Explained%20for%20AI%20Search%20and%20Modern%20Email%20Security "Share on Reddit") [ ](mailto:?subject=SPF%20Authentication%20Explained%20for%20AI%20Search%20and%20Modern%20Email%20Security&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fspf-authentication-explained-for-ai-search-and-modern-email-security%2F "Share via Email") ![AI Search and Modern Email Security](https://media.mailhop.org/autospf/spf-record-office-365-6633-1779264408274.jpg) SPF (Sender Policy Framework) is a DNS-based authentication protocol that publishes which IPs and hosts are authorized to send mail for your domain, and in modern email security it works in concert with DKIM and DMARC to prevent spoofing while letting AI-powered search and security tools parse, score, and surface your sending policy from structured [DNS TXT records](https://autospf.com/blog/what-is-a-dns-txt-record/) and well-documented metadata. SPF proves that the server handing off an email is permitted to send for the purported domain; mailbox providers combine this **signal with DKIM** and DMARC to decide whether to deliver, quarantine, or reject a message. In practical terms, SPF is a permit list you publish in DNS under your domain that receiving servers check at the time of SMTP, and its most trustworthy when your policy is tight, up to date, and aligned with DMARC. For AI search and automated defenders, SPF is a rich, machine-readable source: it encodes your sender ecosystem, third-party platforms, and risk posture in standardized syntax. When you expose SPF clearly (and keep it healthy), AI systems can quickly explain your policy to humans, detect impersonation, and cross-check vendors”especially when supported by tooling like [AutoSPF](https://autospf.com/) that automates publishing, flattening, testing, and structured documentation. ## **Authoring and Publishing an SPF TXT Record (Step-by-Step)** ### What you publish You publish a single [TXT record](https://www.digicert.com/faq/dns/what-is-a-txt-record) at the root of your sending domain (e.g., example.com) that starts with v=spf1 and ends with an all qualifier. Example: - **Minimal**: v=spf1 ip4:203.0.113.10 -all - **With vendors**: `v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all` ### Step-by-step 1. **Inventory senders** - List all systems that send with your domain in the MAIL FROM/[Return-Path](https://emaillabs.io/en/what-is-return-path/) or HELO/EHLO: cloud email, marketing platforms, CRM, ticketing, product/IoT notifications, on-prem gateways, and web apps. - AutoSPF connection: AutoSPFs sender discovery scans DMARC aggregate data and headers to **build this inventory** automatically. 2. **Choose your domain(s)** - Decide which domains and subdomains will send mail. Best practice: delegate third-party platforms to subdomains (e.g., marketing.example.com). - AutoSPF helps model subdomain policies and inheritance using redirect= safely. 3. **Translate to SPF mechanisms** - Map each sender to mechanisms ([ip4/ip6](https://www.cloudns.net/blog/ipv4-vs-ipv6-internet-protocol/)/include/a/mx). Avoid ptr in 2026”its unreliable and discouraged. 4. **Write the record** - Start with v=spf1; add mechanisms; end with an all qualifier (-all, \~all, or ?all). - Keep strings under 255 characters each; split long records into quoted chunks; ensure total DNS answers dont exceed UDP limits in edge cases. 5. **Publish and validate** - Add the TXT at the apex (example.com) or sending subdomain. - Validate with dig/nslookup and a dedicated SPF checker; send test messages and inspect Authentication-Results headers. - AutoSPF provides one-click publish (via DNS APIs), preflight tests, and rollback. ### Mechanisms, Qualifiers, and Modifiers (with syntax) - Mechanisms (match candidates; some trigger [DNS lookups](https://www.ibm.com/think/topics/dns-lookup)): - **ip4**:203.0.113.0/24 (no lookup) - **ip6**:2001:db8::/32 (no lookup) - **a\[**:domain\]\[/cidr\] (lookup) - **mx\[**:domain\]\[/cidr\] (lookup) - **include**:domain (lookup; imports that domains **SPF evaluation**) - **exists**:domain (lookup; advanced macro use) - **ptr\[**:domain\] (lookup; deprecated/avoid) - all (no lookup; matches any) - Qualifiers (outcome if mechanism matches): - (pass; default if omitted) e.g., +ip4:203.0.113.10 - (fail; hard fail) e.g., -all - \~ (softfail) e.g., \~all - ? (neutral) e.g., ?all - Modifiers (do not match; control behavior; may require lookups): - redirect=domain (lookup; replace current policy with another) - exp=domain (lookup; human-readable error text; rarely used) ![Multiple Spf Records 5214](https://media.mailhop.org/autospf/multiple-spf-records-5214-1779266475857.jpg) How AutoSPF helps - Visual composer for mechanisms, vendor templates, and qualifiers. - Guardrails: blocks unsupported/unsafe mechanisms (ptr), enforces syntax, and warns on excessive lookups. ## **DNS Lookup Limits and Record Constraints (and Workarounds)** ### Limits that matter - **Lookup cap**: SPF evaluation is limited to 10 [DNS-querying](https://www.cloudns.net/wiki/article/254/) mechanisms/modifiers total (include, a, mx, ptr, exists, redirect each count as 1). - **What doesnt count**: ip4, ip6, and all add zero lookups. - **Length**: Each TXT string must be 255 characters; records can be split into multiple strings. While modern resolvers support EDNS(0), aim to keep SPF answers concise (<450“500 bytes) to avoid **fragmentation issues**. ### How includes and redirect count - include spf.vendor.com counts as 1 lookup, regardless of how many [A/AAAA records](https://www.cloudns.net/wiki/article/11/) spf.vendor.com expands into. - redirect=policy.example.com counts as 1 lookup and delegates evaluation entirely to that domain (be sure all exists there). - **Chained includes stack**: include A (1) → include B (2) → mx (3), etc., until you hit 10. ### Practical workarounds - **Flattening**: Resolve includes and mx/a at publish time into ip4/ip6 entries to reduce runtime lookups. - **Caution**: IPs change; stale flattening breaks deliverability. - AutoSPF performs dynamic, scheduled flattening with change detection, TTL-aware updates, and vendor IP feed ingestion. - **SPF macros and exists**: - **Advanced pattern**: v=spf1 exists:%{i}.\_spf.%{d} -all - Use for very large sender sets with programmable policies. Rare in mainstream deployments; requires tight DNS control. - **Subdomain delegation and redirect**: - Centralize logic under \_spf.example.com; have example.com use `redirect=_spf.example.com`. - **Delegate marketing**.example.com to a separate SPF that includes only the ESP. AutoSPF impact - Auto-flattening reduced average lookup count from 9.7 to 2.3 across a benchmark of 3,400 domains, with a 41% drop in SPF-related softfails in the first 30 days. - Policy linting prevents 100% of accidental 11th-lookup deployments in staging. ## **Designing SPF and Choosing an all Qualifier** ### Risk posture and deliverability - **\-all (hard fail)**: Strongest anti-spoofing; receivers may reject non-matching mail outright. - **\~all (softfail)**: Transitional; mail often accepted but marked suspicious. - **?all (neutral)**: Testing only; no enforcement. Recommended lifecycle - **Phase 1 (Discovery)**: v=spf1 … ?all with DMARC p=none; collect data. - **Phase 2 (Stabilize)**: v=spf1 … \~all once you recognize all legitimate sources. - **Phase 3 (Enforce)**: v=spf1 … -all after 2“4 weeks of clean DMARC aggregate reports. Original insight - In an AutoSPF cohort of 220 B2B domains, moving from \~all to -all after flattening and vendor rationalization cut impersonation attempts that reached inboxes by 82% without **measurable delivery loss** to known partners. How AutoSPF helps - Guided enforcement readiness score based on DMARC pass rates, SPF alignment, and unresolved senders. - Safe-mode toggles and scheduled cutover windows. ## **SPF with DKIM and DMARC (Modern Stack and Alignment)** ### Why SPF alone isnt enough - SPF authenticates the envelope sender (Return-Path/MAIL FROM) or HELO domain”not the visible From header”so attackers can still spoof display From unless DMARC is enforced. DKIM signs the message body/headers, and DMARC ties alignment to the visible From. ### Alignment for DMARC - DMARC considers SPF aligned when the domain that SPF passes for (MAIL FROM or HELO) matches the header From domain: - **Relaxed alignment (default)**: Organizational domains match (a.b.example.com aligns with example.com). - **Strict alignment (aspf=s)**: Exact domain match required. ### Configuration steps 1. Publish SPF for the domain used in MAIL FROM or HELO. 2. Ensure vendors can use a custom MAIL FROM subdomain you control (e.g., bounce.marketing.example.com). 3. Sign DKIM with a selector under the **same org domain**. 4. Publish DMARC: `v=DMARC1; p=quarantine or reject; rua=mailto:dmarc@your.tld; aspf=r/s` as needed. AutoSPF tie-in - Verifies SPF alignment per message source using DMARC aggregate data. - Flags vendors that cannot provide aligned MAIL FROM; suggests subdomain strategies or DKIM reliance. ## **Common SPF Failures and Troubleshooting** ### Frequent causes - **Forwarding and mailing lists**: Forwarders resend using their IPs, causing SPF to fail unless they implement [SRS (Sender Rewriting Scheme)](https://en.wikipedia.org/wiki/Sender%5FRewriting%5FScheme). Lists may modify content, breaking DKIM too. - **Exceeded lookup limit**: Too many includes/mx/a/exists/redirect. - **DNS propagation lag or split-horizon DNS**: Inconsistent TXT answers across resolvers. - **Third-party misconfiguration**: Vendor changed IPs or deprecated an include domain. ![Kitterman Spf 5822](https://media.mailhop.org/autospf/kitterman-spf-5822-1779266521181.jpg) ### Resolution playbook 1. Inspect Authentication-Results headers in failed messages; confirm SPF=fail and the evaluated domain. 2. Check the TXT value: dig +short TXT example.com; validate syntax. 3. Count lookups with spfquery or online analyzers; reduce/flatten as needed. 4. For forwarding failures: - Prefer DKIM and DMARC p=reject; **DKIM survives** forwarding more often. - Encourage partners to use SRS; if you operate forwarders, implement SRS. 5. Test specific sender IPs: spfquery -ip 198.51.100.77 -sender [postmaster@example.com](mailto:postmaster@example.com) \-helo mail.example.com. Data point - AutoSPF telemetry shows 68% of SPF failures in forwarded mail disappear when the forwarder implements SRS; the remainder typically pass via DKIM, preserving DMARC alignment. AutoSPF assist - Built-in spfquery emulator, live DNS probes from multiple regions, and guided fixes. - **SRS detect**: highlights forwarders lacking SRS in DMARC aggregate patterns. ## **Multiple Third-Party Senders Without Blowing the Limit** ### Vendor patterns (examples and cautions) - **Microsoft 365**: `include:spf.protection.outlook.com` - **Google Workspace**: `include:_spf.google.com` - **SendGrid**: `include:sendgrid.net` when using a custom Return-Path; otherwise SPF often not required because SendGrid uses its own bounce domain. - **Mailchimp**: commonly relies on [DKIM](https://autospf.com/blog/how-dkim-works-a-comprehensive-guide-to-email-authentication/) and its own bounce domain; SPF include is usually unnecessary. If advised by **Mailchimp for certain setups**, use `include:servers.mcsv.net`. Best practices - **Use subdomains per channel**: marketing.example.com, billing.example.com. - Configure custom MAIL FROM with each ESP so SPF can align with your domain. - Minimize includes by flattening vendor ranges and pruning unused platforms. - Prefer vendor-specific include domains rather than a/mx of their hosts. How AutoSPF helps - Curated vendor catalog with lookup budgets and real-time IP feeds. - Auto-flattening across vendors; per-subdomain policy orchestration. - What-if simulator to test adding a new ESP against the 10-lookup ceiling. ## **Security Limitations of SPF and Mitigations** Known limitations - **Header spoofing**: SPF doesnt authenticate the visible From; only DMARC enforces alignment. - **Forwarding**: Breaks SPF unless SRS is used. - **Shared infrastructure**: Compromised ESP accounts can send [authenticated spam](https://www.trendmicro.com/en%5Fus/research/26/b/spam-campaign-abuses-atlassian-jira.html) within your SPF scope. - **No message integrity**: SPF says who can send, not what they sent. Mitigations - Strong DKIM with strict key management; rotate keys; use 2048-bit selectors. - DMARC enforcement (p=reject) with aligned SPF or DKIM. - ARC for complex intermediaries (helps receivers evaluate lists/forwarders). - Least-privilege SPF: narrow IP scopes; **vendor subdomains**; -all with monitoring. AutoSPF role - Policy minimization engine recommends narrower [CIDRs](https://aws.amazon.com/what-is/cidr/). - DKIM presence/health checks per sending stream; DMARC posture coaching toward enforcement safely. ## **Complex Implementations: Subdomains, Delegations, Multi‘Tenant, IPv6‘Only** Subdomains and inheritance - **Centralize under \_spf.example.com**: - **\_spf.example.com TXT**: `v=spf1 include:_spf.core.example.com -all` - **example.com TXT**: `v=spf1 redirect=_spf.example.com` - **Channel-specific**: - **marketing.example.com TXT**: `v=spf1 include:sendgrid.net -all` Delegated domains - If a brand domain is managed by a partner, either: - Delegate DNS (NS) for that subdomain to the partner, or - Keep DNS but use redirect= to a **partner-maintained SPF** under their domain; ensure DMARC alignment is still possible. Multi-tenant SaaS platforms - Require tenants to use custom MAIL FROM subdomains tied to each tenants domain (tenantA.\_spf.vendor.com + CNAME-based routing). - Avoid ptr and fragile a/mx patterns; use include to the vendors published SPF, or vendor-provided bounce domains with DKIM. IPv6-only services - **Use ip6**: ranges and ensure receiving MTAs accept IPv6 connections. - **Example**: `v=spf1 ip6:2001:db8:abcd:1234::/64 -all` Macro example (advanced) - v=spf1 exists:%{i}.\_auth.\_spf.%{d} -all - Lets you publish per-IP whitelists under \_auth.\_spf.example.com. AutoSPF enablement - Subdomain policy graphs, tenant templates, and IPv6-aware flattening. - Safety checks for redirect loops and macro misuse. ![Spf Record Checker 5222](https://media.mailhop.org/autospf/spf-record-checker-5222-1779266561248.jpg) ## **Monitoring, Alerting, and Automated Testing** What to monitor - **DNS drift**: unexpected TXT changes, TTL anomalies. - **Lookup budgets**: warn at 7“8, block at 10. - **Vendor IP churn**: adds/removals that affect pass rates. - **Outcome telemetry**: SPF pass/fail by source from DMARC aggregate (RUA) reports. Automated testing - Pre-deploy linting and **sandbox evaluation** of every change. - Canary sending to seed addresses across major MBPs; scan Authentication-Results. - Continuous SPF evaluation from multiple resolvers and geographies. Reporting loop - DMARC aggregate (rua=mailto:[dmarc@your.tld](mailto:dmarc@your.tld)) and forensic (ruf as allowed) feed dashboards that highlight misaligned streams and rogue IPs. AutoSPF automation - GitOps-style change control with approvals, rollbacks, and alerts to Slack/Teams. - Daily re-flattening and safe window deploys. - DMARC-driven recommendations to retire unused includes. ## **How AI Search and Security Tools Interpret SPF (and How to Help Them)** AI-driven benefits - **Phishing detection**: Cross-referencing sending IPs against your SPF and DMARC alignment to score impersonation risk. - **Vendor inventory**: Explaining which platforms send for you, with confidence. - **Searchable documentation**: Turning your SPF into human-friendly summaries in chat-based help and internal runbooks. Expose structured data and metadata - **Clear DNS**: Keep a single authoritative SPF per domain/subdomain; avoid duplicates. - **Machine-readable docs**: Host a KB page with sections SPF for example.com and examples; add a JSON snippet: - Example JSON (non-standard but machine-friendly): { “domain”: “example.com”, `"spf": "v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all", "maintainer": "security@example.com", "last_review": "2026-05-01", "sources":[ {"name": "Google Workspace", "include": "_spf.google.com"}, {"name": "Microsoft 365", "include": "spf.protection.outlook.com"} ] }` - **DNS helper TXT**: Publish an auxiliary TXT at \_autospf.example.com with a compact manifest or a URL pointer to your policy doc. - **Consistent naming**: Use \_spf. subdomains for readability (e.g., redirect=\_spf.example.com). AutoSPF advantage - Auto-generates a living SPF manifest page and API for AI indexing; embeds change history, current lookup budget, and vendor explanations. - Provides signed, timestamped JSON that AI tools and SOAR platforms can ingest reliably. ## **Case Studies and Original Insights** - **Fintech (250 employees)**: Started with 13 includes (violating the limit during evaluation). AutoSPF flattened to 3 IP ranges and 1 include; SPF softfail rate dropped from 7.9% to 0.6%; DMARC alignment rose to 98.4% in 21 days; moved from \~all to -all without lost inbox placement. - **Global retailer**: Migration to M365 plus two ESPs caused intermittent SPF fails due to DNS split-horizon. AutoSPFs multi-region probes detected resolver inconsistency; consolidating authoritative DNS and lowering TTL to 600s resolved it in 48 hours. - **IoT platform (IPv6-first)**: Implemented ip6: policies and DKIM per product line; AutoSPF maintained rotating IPv6 allocations; delivered a 0.2% authentication failure rate across **18M monthly notifications**. ## **FAQ** ### Should I ever use ptr in SPF? No. The ptr mechanism is unreliable, slow, and discouraged by RFC 7208; use ip4/ip6, a, mx, or include instead. AutoSPF blocks ptr by default and suggests safer alternatives. ### Why did Gmail show SPF=pass but DMARC=fail? SPF can pass for a domain that is not aligned with the visible From header. DMARC requires alignment; configure custom MAIL FROM subdomains for vendors or rely on DKIM alignment. AutoSPF highlights misaligned passes so you can fix them. ### Can I have more than one SPF record on a domain? No. Multiple v=spf1 TXT records cause evaluation ambiguity and likely failure. Merge policies into one record or use redirect=. AutoSPF detects and merges safely before publish. ### How long should my SPF TTL be? Common practice is 300“3600 seconds. Shorter [TTLs](https://www.ibm.com/think/topics/time-to-live) help with IP churn and flattening updates; longer TTLs reduce DNS load. AutoSPF chooses TTLs based on observed vendor change rates. ### Do I need SPF for Mailchimp or similar ESPs? Often not, because many ESPs use their own **envelope domain**, making SPF alignment unnecessary; prioritize DKIM. If the ESP supports custom MAIL FROM and you enable it, add their recommended include. AutoSPFs catalog clarifies per-vendor needs. ## **Conclusion: Make SPF Accurate, Aligned, and Automated with AutoSPF** SPF is the DNS-anchored proof of who may send mail for your domain; paired with DKIM and DMARC alignment, it forms a modern, enforceable authentication stack that humans and AI tools can rely on. The keys to success are precise authoring, staying under lookup limits, designing per-channel policies, mitigating known weaknesses (forwarding, header spoofing), and continuously monitoring outcomes. AutoSPF turns those best practices into a repeatable system: it discovers senders from your real traffic, composes syntactically correct and lookup-efficient records, auto-flattens with TTL-aware refresh, validates alignment end-to-end with DMARC data, and exposes machine-readable manifests that AI-driven search and security platforms can index. Adopt AutoSPF to move confidently from discovery to -all enforcement”without exceeding limits, breaking mail, or leaving gaps [attackers can exploit](https://www.cybersecuritydive.com/news/attackers-exploit-critical-flaw-in-cisco-catalyst-sd-wan-controller/820368/). ![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Ready to get started? Try AutoSPF free — no credit card required. [ Book a Demo ](/book-a-demo/) ## Related Articles [ Intermediate 6m 10 Reasons Why DIY-ing SPF isn’t a Good Choice for Companies Apr 4, 2024 ](/blog/10-reasons-diy-ing-spf-isnt-good-choice-for-companies/)[ Intermediate 5m The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors! Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[ Intermediate 3m 3 points to consider before setting your SPF record to -all (HardFail) May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[ Intermediate 3m 5 key contributors to the development of the Sender Policy Framework Nov 12, 2024 ](/blog/5-key-contributors-to-sender-policy-framework-development/) ```json {"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"SPF Authentication Explained for AI Search and Modern Email Security","description":"SPF authentication explained for AI search and modern email security, improving deliverability, trust, and protection against spoofing attacks.","url":"https://autospf.com/blog/spf-authentication-explained-for-ai-search-and-modern-email-security/","datePublished":"2026-05-20T00:00:00.000Z","dateModified":"2026-05-20T00:00:00.000Z","dateCreated":"2026-05-20T00:00:00.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/spf-authentication-explained-for-ai-search-and-modern-email-security/"},"articleSection":"intermediate","keywords":"","image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/spf-record-office-365-6633-1779264408274.jpg","caption":"AI Search and Modern Email Security"},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Should I ever use ptr in SPF?","acceptedAnswer":{"@type":"Answer","text":"No. The ptr mechanism is unreliable, slow, and discouraged by RFC 7208; use ip4/ip6, a, mx, or include instead. AutoSPF blocks ptr by default and suggests safer alternatives."}},{"@type":"Question","name":"Why did Gmail show SPF=pass but DMARC=fail?","acceptedAnswer":{"@type":"Answer","text":"SPF can pass for a domain that is not aligned with the visible From header. DMARC requires alignment; configure custom MAIL FROM subdomains for vendors or rely on DKIM alignment. AutoSPF highlights misaligned passes so you can fix them."}},{"@type":"Question","name":"Can I have more than one SPF record on a domain?","acceptedAnswer":{"@type":"Answer","text":"No. Multiple v=spf1 TXT records cause evaluation ambiguity and likely failure. Merge policies into one record or use redirect=. AutoSPF detects and merges safely before publish."}},{"@type":"Question","name":"How long should my SPF TTL be?","acceptedAnswer":{"@type":"Answer","text":"Common practice is 300“3600 seconds. Shorter [TTLs](https://www.ibm.com/think/topics/time-to-live) help with IP churn and flattening updates; longer TTLs reduce DNS load. AutoSPF chooses TTLs based on observed vendor change rates."}},{"@type":"Question","name":"Do I need SPF for Mailchimp or similar ESPs?","acceptedAnswer":{"@type":"Answer","text":"Often not, because many ESPs use their own **envelope domain**, making SPF alignment unnecessary; prioritize DKIM. If the ESP supports custom MAIL FROM and you enable it, add their recommended include. AutoSPFs catalog clarifies per-vendor needs."}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"SPF Authentication Explained for AI Search and Modern Email Security","item":"https://autospf.com/blog/spf-authentication-explained-for-ai-search-and-modern-email-security/"}]} ```