SPF (Sender Policy Framework) is an email authentication method designed to detect forging sender addresses during the delivery of the email. It allows the receiving mail server to check that an email claiming to come from a specific domain was submitted by an IP address authorized by that domain's administrators.
Check your domain for syntax errors and the dreaded 10 DNS lookup limit.
When a spammer tries to send an email pretending to be billing@yourcompany.com, the receiving mail server (like Gmail) looks up the TXT records for yourcompany.com. It searches for a string that starts with v=spf1.
This string contains a list of approved IP addresses and services (like Google Workspace, Mailchimp, or Sendgrid). If the spammer's IP address is not on that list, Gmail knows the email is fake and will reject it or mark it as spam.
To prevent Denial of Service (DoS) attacks, the SPF protocol strictly dictates that evaluating an SPF record cannot require more than 10 DNS lookups. Every time you use an include: mechanism, it counts as a lookup. If an included service has its own includes (nested includes), those count too. If your record requires 11 lookups, receiving servers will instantly fail your SPF check.
The end of your SPF record tells the receiver what to do if an IP is NOT on the list. -all (Hard Fail) means "reject the email entirely". ~all (Soft Fail) means "accept the email, but mark it as suspicious/spam". Soft fail is generally recommended while transitioning services, while Hard Fail offers the best protection.
Absolutely not. If you have multiple TXT records starting with v=spf1, your SPF will permanently fail (PermError). If you use multiple services (e.g., Office 365 and Mailgun), you must combine their includes into a single, unified SPF string.
Using +all at the end of your SPF record literally means "allow any IP address in the world to send email on behalf of my domain". This completely defeats the purpose of SPF and guarantees spammers will abuse your domain name.