SPF (Sender Policy Framework)

What is SPF?

SPF, or Sender Policy Framework, is an authentication protocol designed to validate the “HELO” and “MAIL FROM” fields in an email transmission. It provides a method whereby a domain administrator can explicitly authorize which hosts are allowed to send mail for a domain, which can be verified by the recipient’s mail server. The current SPF standard is published in RFC 7208.

How does SPF work?

SPF is published as a DNS TXT record. The recipient then checks the IP address of the sending mail server against the SPF record for the HELO/MAIL FROM domain to confirm that the IP address is authorized by the SPF record. An example SMTP transaction might look like this:

220 mx.google.com ESMTP c125si9817506pfg.356 - gsmtp
EHLO mta-c-24-39.infusionmail.com
250-mx.google.com at your service, []
250-SIZE 157286400
MAIL FROM: <mailer@infusionmail.com>
250 2.1.0 OK c125si9817506pfg.356 - gsmtp
RCPT TO: <recipient@gmail.com>
250 2.1.5 OK c125si9817506pfg.356 - gsmtp
354  Go ahead c125si9817506pfg.356 - gsmtp
FROM: sales@mydomain.com
TO: recipient@gmail.com
Subject: Check out our hot deals this summer!

40% off your next order if you buy today!
250 2.0.0 OK 1507046193 c125si9817506pfg.356 - gsmtp

The HELO address in this example is mta-c-24-39.infusionmail.com and the MAIL FROM address in this example is mailer@infusionmail.com. Therefore, the domain name that will be checked for SPF is infusionmail.com. The IP address that sent the message is

Upon receiving the message, Google will do a DNS lookup on infusionmail.com to verify if it has an SPF record published. In this case, it does:

v=spf1 a:infusionsoft.com ip4: ip4: ip4: ip4: -all

SPF record syntax is explained in-depth at http://www.openspf.org/SPF_Record_Syntax. Let’s examine what this record means:


This is the version of SPF being used. Currently, only one version of SPF exists - spf1. All SPF records will start with this string.


The IP address published in the DNS A record for infusionsoft.com is allowed to send mail for infusionmail.com. Google would do a DNS lookup to resolve this IP address:

infusionsoft.com.	600	IN	A

Therefore, mail coming from is defined as allowed by this SPF record.

ip4: ip4: ip4: ip4:

These are IP addresses and IP ranges that are explicitly allowed by the SPF record. The IP ranges are listed in CIDR notation, defined in RFC 4632. The IP address from our example,, falls within the range specified by the ip4: directive. Therefore, our example email passes SPF validation.


This tells the receiving mail server what to do with mail from infusionmail.com that does not pass SPF validation. In this case, the SPF record requests that the receiving mail server reject all email from infusionmail.com that does not pass validation.

We can see by looking at the email headers that SPF validation was successful for our example message:

Received: from mta-c-24-39.infusionmail.com (mta-c-24-39.infusionmail.com. [])
        by mx.google.com with ESMTP id c125si9817506pfg.356.2017.
        for <recipient@gmail.com>;
        Tue, 03 Oct 2017 08:56:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of mailer@infusionmail.com designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of mailer@infusionmail.com designates as permitted sender) smtp.mailfrom=mailer@infusionmail.com

Do I need to set up SPF with Infusionsoft?

No. The HELO and MAIL FROM address used by Infusionsoft to deliver emails on your behalf is always infusionmail.com. We handle the SPF for that domain name, so there is no need for you to set up an SPF record that authorizes our servers.

If I wanted to set up SPF anyway, how would I do so?

If you do not have an SPF record already, then you will need to create one. If you do have an existing SPF record, then you will need to modify it, as the SPF protocol only supports having one record published. This guide walks you through configuring your SPF record: