Sender Policy Framework with lookup-counter warning (limit 10 per RFC 7208 § 4.6.4).
What is this, and when do I need it?
What is this?
SPF (Sender Policy Framework, RFC 7208) is a list of IP addresses and mail providers
authorised to send mail on behalf of your domain. The receiving mail server looks up the
sending IP when a message arrives: is it in your SPF record? If not, SPF fails - and that
feeds into the DMARC verdict.
SPF alone does not block any mail (it only signals). Only together with DMARC does it gain
enforcement power.
When do I need it?
As soon as you send mail - your own mail server, a newsletter provider, a CRM tool, a ticket
system. Each of those sources must appear in SPF, otherwise their mail lands in spam folders
or gets rejected under strict DMARC policies.
Important: every entry like include: or a: costs one DNS lookup. The limit is 10 (RFC 7208 §4.6.4). If you have many providers, it is sensible
to prune old tools or use direct ip4: blocks instead of includes.
Publish the record as TXT on the apex domain itself (host=@, content=the value above). Subdomains do not inherit SPF - every sending subdomain needs its own record (a wildcard TXT does not inherit either).
When the lookup counter exceeds 10, mailbox providers respond with PermError and treat the record as absent. Fix: flatten (resolve include into ip4/ip6) or consolidate include sources.
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.
Inspect an existing SPF record
Reads the TXT record of the domain and validates SPF against RFC 7208 (lookups, mechanisms, all action).
Try with:
Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.