~3 min read • Updated Jan 27, 2026
1. What Is SPF?
SPF (Sender Policy Framework) is an email authentication method that:
- Uses DNS TXT records
- Defines which servers are allowed to send mail for your domain
- Helps receivers detect forged sender addresses
SPF does not sign emails or scan content; it only validates the sending source.
2. SPF in the Email Flow
Your Server (iRedMail)
↓
Sends Email
↓
Receiving Mail Server
↓
DNS Lookup for SPF
↓
SPF PASS / FAIL decision
If SPF passes, the sender is considered legitimate (from an IP perspective). If it fails, the receiver may mark it as spam or reject it, depending on their policy and DMARC.
3. SPF Record Basics
SPF is published as a DNS TXT record on your domain. Example:
example.com. TXT "v=spf1 mx a -all"
Key parts:
- v=spf1 — SPF version
- mx — allow IPs of MX records
- a — allow IP of A record
- -all — everything else is not allowed
4. Common SPF Mechanisms
- a — authorize the IP of the domain’s A record
- mx — authorize IPs of MX records
- ip4: — authorize specific IPv4 addresses (e.g.
ip4:203.0.113.10) - ip6: — authorize specific IPv6 addresses
- include: — delegate to another SPF record (e.g.
include:_spf.google.com) - all — catch-all mechanism, usually at the end
5. Qualifiers in SPF
| Qualifier | Meaning | Example |
|---|---|---|
| + | Pass (default) | mx = +mx |
| - | Fail (hard fail) | -all |
| ~ | Soft fail | ~all |
| ? | Neutral | ?all |
Recommended for production: -all or ~all depending on maturity.
6. Example SPF Records for iRedMail
6.1 Simple iRedMail on Single Server
example.com. TXT "v=spf1 a mx -all"
6.2 iRedMail + External SMTP Provider (e.g. Mailgun)
example.com. TXT "v=spf1 a mx include:mailgun.org -all"
6.3 Multiple Outbound IPs
example.com. TXT "v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 mx -all"
7. SPF and DMARC
SPF alone does not define what to do when it fails. DMARC uses SPF (and DKIM) results to decide:
- Accept
- Quarantine
- Reject
For DMARC alignment, the From: domain must match (or be aligned with) the domain used in SPF.
8. Testing SPF
- Use online SPF checkers (e.g. MXToolbox)
- Send email to Gmail and check “Show original” → SPF: PASS/FAIL
- Verify there is only one SPF record per domain
9. Common SPF Mistakes
- Multiple SPF records — must be only one TXT SPF record
- Too many DNS lookups — SPF limit is 10 DNS lookups
- Forgetting external senders — CRMs, ticket systems, etc.
- Using
+all— effectively disables SPF (never do this)
10. Best Practices
- Start with
~all(soft fail) while monitoring - Move to
-allonce you’re sure all senders are covered - Keep SPF under 10 DNS lookups
- Align SPF with DMARC policy
11. SPF + DKIM + DMARC
| Mechanism | Role |
|---|---|
| SPF | Verifies sending IP/host |
| DKIM | Verifies message integrity and domain signature |
| DMARC | Defines policy based on SPF/DKIM results |
Together, they form a complete email authentication stack for iRedMail.
Conclusion
SPF is a fundamental building block of email authentication in iRedMail. It tells the world which servers are allowed to send email for your domain, helping prevent spoofing and improving deliverability. When combined with DKIM and DMARC, SPF becomes part of a robust, modern, and trusted email identity framework.
Written & researched by Dr. Shahin Siami