DNS & email authentication

SPF (Sender Policy Framework)

What an SPF record does, why a missing or weak policy makes your domain easy to spoof in email, and how WebGuard reviews it.

Last updated June 9, 2026

What it is

SPF is a DNS record that lists which mail servers are allowed to send email on behalf of your domain. Receiving servers look it up to decide whether an incoming message claiming to be from you came from an authorized source.

Why it matters

Without a published SPF record, or with one that ends in a permissive `+all`, anyone can send mail that appears to come from your domain, which is the foundation of phishing and business-email-compromise attacks against your customers and staff. A correct SPF record is also a prerequisite for getting DMARC to pass.

How WebGuard checks it

WebGuard performs a read-only DNS lookup of your domain's SPF record and reports whether it exists and whether its policy is appropriately strict. No mail is sent and nothing is changed.

A sensible starting configuration:

v=spf1 include:_spf.your-provider.com -all

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.