SPF

When an email arrives claiming to be from your domain, the receiving server has no built-in way to know whether the sending server was actually authorized to send it. SPF provides that authorization by listing approved senders in a DNS record that anyone can look up.

What is SPF

SPF is a TXT record published in your domain's DNS. It declares which IP addresses and mail servers are permitted to send email on behalf of your domain. Any server not listed is considered unauthorized.

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

• v=spf1 — Identifies this as an SPF record.
• include: — Delegates authorization to another domain's SPF record. This is how third-party senders like SendGrid or Google Workspace are authorized.
• ~all — A soft fail for any server not explicitly listed. The stricter -all (hard fail) tells receivers to reject unauthorized senders outright.

How SPF works

When a mail server receives a message, it extracts the domain from the envelope sender (the MAIL FROM address used during the SMTP transaction, which may differ from the visible From: header). It then performs a DNS lookup for that domain's SPF record and checks whether the sending server's IP address is listed.

The result is one of several statuses: pass, fail, soft fail, or neutral. This result feeds into DMARC evaluation if a DMARC record exists.

SPF has a 10-lookup limit — if your record requires more than 10 DNS queries to fully resolve (counting nested include: directives), the check automatically fails. This limit exists to prevent SPF from being used as a denial-of-service vector.

SPF and Clerk

Clerk configures SPF records automatically as part of production instance setup. The records authorize Clerk's email sending infrastructure to send email on behalf of your domain.

For more details on email authentication setup, see Email deliverability.