S
SPF Record Check

SPF and DNS Records: Understanding Where SPF Lives

Learn how SPF records work within DNS, the relationship between SPF and other DNS record types, and how to find and manage your domain's SPF configuration.

Last updated: 2026-02-05

SPF doesn't exist in isolation. It's part of your domain's DNS configuration, sitting alongside other records that control how your domain works. Understanding this relationship helps you manage SPF effectively and avoid common mistakes.

SPF Records Are TXT Records

Here's something that confuses many people: there's no such thing as an "SPF record type" in modern DNS. SPF records are stored as TXT records.

Early in SPF's history, there was a dedicated SPF record type (type 99). But it was deprecated in 2014 because it caused compatibility problems. Today, all SPF records should be published as TXT records.

When you look at your DNS settings, you'll see something like:

TypeNameValue
TXT@v=spf1 include:_spf.google.com ~all

The @ symbol represents your root domain. The TXT record contains your SPF policy, identified by the v=spf1 prefix.

TXT records serve multiple purposes

TXT records aren't just for SPF. They're also used for domain verification (Google, Microsoft, etc.), DKIM public keys, DMARC policies, and various other purposes. Each serves a different function, identified by its content format.

How SPF Relates to Other DNS Records

Your domain's DNS contains several record types that work together for email delivery. Understanding how they interact helps you configure everything correctly.

A Records

A records point your domain to an IP address. When someone visits yourdomain.com, the A record tells their browser which server to connect to.

SPF can reference A records through the a mechanism:

v=spf1 a -all

This authorizes whatever IP your domain's A record points to. It's useful if your web server also sends email, but most organizations use dedicated email services instead.

MX Records

MX (Mail Exchanger) records tell other servers where to deliver email for your domain. They're essential for receiving email.

SPF can reference MX records through the mx mechanism:

v=spf1 mx -all

This authorizes the servers listed in your MX records to send email. Since these servers handle your incoming email, they often need to send outbound email too (auto-replies, forwards, etc.).

You can check your MX records with an MX record checker.

TXT Records (Beyond SPF)

Besides SPF, TXT records hold other email authentication data:

DKIM records store the public keys used to verify DKIM signatures. They appear as TXT records at a selector subdomain, like selector._domainkey.yourdomain.com.

DMARC records define your domain's email authentication policy. They're TXT records at _dmarc.yourdomain.com.

All three—SPF, DKIM, and DMARC—work together to authenticate your email.

Finding Your SPF Record

The easiest way to check your current SPF record is to query DNS directly. You can do this from the command line or use an online tool.

From the command line on Mac or Linux:

dig +short TXT yourdomain.com | grep spf

On Windows (PowerShell):

Resolve-DnsName -Name yourdomain.com -Type TXT | Where-Object { $_.Strings -like "*spf*" }

Or use nslookup:

nslookup -type=TXT yourdomain.com

Look for the response that starts with v=spf1. That's your SPF record.

Adding or Modifying SPF Records

SPF records are managed through your DNS provider. This might be your domain registrar (like GoDaddy, Namecheap, or Google Domains) or a dedicated DNS service (like Cloudflare or Route 53).

The general process:

  1. Log into your DNS management console
  2. Navigate to DNS settings for your domain
  3. Find existing TXT records (to check for an existing SPF record)
  4. Add a new TXT record or edit the existing SPF record
  5. Save and wait for propagation

If you need help building an SPF record, SPF Creator can generate one based on your email services.

One SPF record per domain

You can only have one SPF record per domain. If you already have an SPF record and need to add a new email service, you must edit the existing record—not create a second one. Multiple SPF records cause authentication failures.

DNS Propagation and SPF Changes

When you update your SPF record, the change doesn't take effect instantly. DNS changes propagate through a global network of servers, and each server caches records for a period defined by the TTL (Time to Live).

What to expect:

  • Changes typically propagate within 1-4 hours
  • Full global propagation can take up to 48 hours
  • Some servers may see the change faster than others

TTL considerations:

If you're planning SPF changes, consider lowering your TTL beforehand. A lower TTL means faster propagation when you make changes. After the change is stable, you can raise the TTL again to reduce DNS query load.

Typical TTL values:

  • 300 seconds (5 minutes) — Good for testing or frequent changes
  • 3600 seconds (1 hour) — Reasonable balance
  • 86400 seconds (24 hours) — Stable configurations

Testing during propagation:

During propagation, different email servers may see different versions of your SPF record. This can cause temporary inconsistencies in authentication results. If you're making significant changes, consider:

  1. Lowering TTL a day before the change
  2. Making the change during low-email-volume hours
  3. Starting with ~all (softfail) before moving to -all (hardfail)
  4. Monitoring delivery reports for any issues

SPF Record Syntax in DNS

When entering an SPF record in your DNS settings, be aware of a few formatting considerations:

Quotes: Some DNS providers require quotes around TXT record values, others add them automatically. If your provider's interface shows the value without quotes but stores it correctly, that's fine.

Line length: DNS TXT records have a 255-character limit per string. Longer records must be split into multiple strings that get concatenated. Most DNS providers handle this automatically, but if you're manually editing zone files, be aware of this limit.

Escaping: Generally, SPF records don't need special escaping. However, if your DNS provider has issues with certain characters, consult their documentation.

Example zone file entry:

yourdomain.com. 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"

Common DNS-Related SPF Problems

Typos in the record. A simple typo can break SPF authentication. Double-check your record after saving, and use a validation tool to confirm it's correct.

Multiple TXT records causing confusion. Having many TXT records is normal (for domain verification, DKIM, DMARC, etc.). Just make sure only one starts with v=spf1.

Subdomain confusion. SPF records at your root domain don't automatically apply to subdomains. If you send email from mail.yourdomain.com, it needs its own SPF record.

Cached old records. After making changes, some recipients may still see the old record due to DNS caching. This resolves itself as caches expire based on TTL.

Monitor Your SPF Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring

Related Articles