---
title: "Doing Sender Policy Framework (SPF) delegation the right way | DMARC Report"
description: "Doing Sender Policy Framework (SPF) delegation the right way from DMARC Report explains practical steps for email authentication, domain protection."
image: "https://dmarcreport.com/og/blog/doing-sender-policy-framework-spf-delegation-the-right-way.png"
canonical: "https://dmarcreport.com/blog/doing-sender-policy-framework-spf-delegation-the-right-way/"
---
Quick Answer
Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a \`PermError\` that fails authentication for every message from the domain. DMARC Report Doing Sender Policy Framework (SPF) delegation the right way
Related: [How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/)
Share
[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdoing-sender-policy-framework-spf-delegation-the-right-way%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Doing%20Sender%20Policy%20Framework%20%28SPF%29%20delegation%20the%20right%20way&url=undefined%2Fblog%2Fdoing-sender-policy-framework-spf-delegation-the-right-way%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdoing-sender-policy-framework-spf-delegation-the-right-way%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdoing-sender-policy-framework-spf-delegation-the-right-way%2F&title=Doing%20Sender%20Policy%20Framework%20%28SPF%29%20delegation%20the%20right%20way "Share on Reddit") [ ](mailto:?subject=Doing%20Sender%20Policy%20Framework%20%28SPF%29%20delegation%20the%20right%20way&body=Check out this article: undefined%2Fblog%2Fdoing-sender-policy-framework-spf-delegation-the-right-way%2F "Share via Email")
> Compliance is driving a lot of the DMARC adoption we see, says Vasile Diaconu, Operations Lead at DuoCircle. PCI DSS v4.0, Google’s sender requirements, Microsoft’s May 2025 enforcement - our support team fields questions about these mandates daily. The organizations that moved early are already at p=reject. The rest are scrambling.
Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain. DMARC Report
Doing Sender Policy Framework (SPF) delegation the right way
```
```
/
```
```
RSS Feed
```
Share
Link
Embed
```
/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-15006” readonly/>
```
```
At times, you need an external party to handle the exchange of emails on your behalf. Now, since you can’t afford to overlook[email authentication](https://dmarcreport.com/blog/a-basic-guide-to-email-authentication-for-legal-professionals/)done through \*\*SPF, DKIM, and DMARC , you need to give control of a few[DNS records](https://www.techopedia.com/definition/5349/dns-record)so that everything works properly.
This blog specifically shares how domain owners can do SPF delegation to give control of their \*\*TXT SPF record to[third-party vendors](https://www.upguard.com/blog/third-party-vendor), allowing them to legitimately send emails on your behalf. Please note that SPF delegation is a one-time process and should not be ignored if you don’t want to impact your domain’s[email deliverability](https://dmarcreport.com/blog/fix-spf-permerror-overcome-too-many-dns-lookups/)and
business communications
at various levels.
## \*\*Getting started with SPF delegation To begin with, you have to add the IP address of your
[website’s hosting server](https://www.forbes.com/advisor/in/business/software/fastest-web-hosting/). Doing this is safe until the \*\*hosting server goes down because then all the outgoing emails will fail to reach the intended recipients and bounce back to the sender’s inbox with a message of ‘failed delivery.’
Since SPF,[DKIM](https://dmarcreport.com/what-is-dkim/), and DMARC are designed to be compatible with each other, SPF delegation doesn’t trigger any issues with DKIM and[DMARC](https://dmarcreport.com/). In fact, at times, DKIM also uses SPF delegation to allow third parties to send emails on your behalf . If DKIM doesn’t use SPF delegation, then the possibility of your emails failing SPF and DKIM checks increases, placing your emails in recipients’[spam folders](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/), or worse, having them bounced back to you only. Other discrepancies and policy conflicts also \*\*trigger delivery failures.
## \*\*Prepping your domain for SPF delegation Fortunately, configuring your domain for
\*\*SPF delegation isn’t a tough job; just follow these steps, and you will be good to go-
1. Open the[DNS manager](https://eitca.org/cybersecurity/eitc-is-wsa-windows-server-administration/dns-and-hosts-in-windows-server/understanding-domain-name-system-in-windows-server/examination-review-understanding-domain-name-system-in-windows-server/how-can-you-access-the-dns-manager-in-windows-server/)and navigate to the menu bar.
2. Select the domain that requires an update .
3. In the
SPF delegation overview
, modify the SPF record as follows:
- \*\*a record : Add the ‘a’ record, entering 32 in the[IPv4 CIDR column](https://build5nines.com/ipv4-address-cidr-range-reference-and-calculator/)and 128 in the IPv6 CIDR column.
- \*\*mx record : Add the ‘mx’ record, entering 32 in the IPv4 CIDR column and 128 in \*\*the IPv6 CIDR column .
- \*\*include : Insert all necessary ‘include’ statements, ensuring that only the specified values are included .
- \*\*ipv4 : List all \*\*IPv4 addresses . If the IPv4 entry specifies a range (e.g., /22), enter 22 in the ‘CIDR’ column. If no range is listed, enter 32 in the ‘CIDR’ column.
- \*\*ipv6 : List all[IPv6 addresses](https://www.techtarget.com/iotagenda/definition/IPv6-address). If the IPv6 entry specifies a range (e.g., /36), enter 36 in the ‘CIDR’ column. If no range is listed, enter 128 in the ‘CIDR’ column.
- \*\*Policy : Choose either a soft fail (\~all) or a hard fail (-all). For beginners and domains with significant[email traffic](https://www.campaignmonitor.com/blog/email-marketing/email-traffic-how-to-build-your-list-organically/), a soft fail setting is recommended.
1. Once you’ve made these changes, click ‘Save’ and publish the record in the DNS manager.
2. At the bottom of the page, a DNS entry will be generated, which needs to be published in your domain’s DNS records .
3. After publishing, your[SPF record](https://dmarcreport.com/tools/spf-record-generator/)will be hosted and managed directly through the DNS manager, eliminating the need for an
external DNS manager
.
## \*\*Pointers to keep in mind Take care of the following things while you perform the above-listed steps-
## Syntax
The syntax should be used with the rules, otherwise, they don’t work as intended. Inappropriate \*\*use of syntax leads to errors in an SPF record, hindering its ability to stop phishing and[spoofing attacks](https://www.dell.com/en-us/perspectives/new-internet-research-shows-30000-spoofing-attacks-per-day/).
The improper use of syntax also results in more \*\*DNS lookups which gets counted towards the limit of 10 DNS lookups. If your SPF record exceeds this limit, you can use the[automatic SPF flattening tool](https://autospf.com/).
### \*\*Length limits
An \*\*SPF TXT record is restricted to have a 255-character limit imposed by RFC for compatibility, security, and[DNS protocol](https://www.ibm.com/topics/dns-protocol)constraints. SPF records that increase the limit lead to complexities and induce the probability of human errors, non-uniformities, and conflicts. We suggest you use multiple records if necessary.
### \*\*Order of entries
Here’s the typical order of entries for a valid SPF record- version, mechanisms (include, a, mx, ip4,ip6, and ptr), modifiers, qualifiers, all mechanisms (\~all or -all).
For example-
v=spf1 ip4:192.168.0.1 include:example.com -all
This example indicates that only the specified[IP address](https://en.wikipedia.org/wiki/IP%5Faddress)and those included from example.com are allowed to send emails on behalf of the domain, while all others will fail the \*\*SPF check .
### \*\*Reliable service provider
Ensure your
service provider
is reputable because delegating your SPF record to an \*\*external vendor makes your domain susceptible to attacks.
### \*\*Regulatory compliances
Several compliances like[GDPR](https://www.investopedia.com/terms/g/general-data-protection-regulation-gdpr.asp)and CAN-SPAM require businesses to deploy preventive measures against phishing and spoofing. If your SPF record is not correctly \*\*configured and managed , your business could be subject to litigation.
## Topics
[ SPF ](/tags/spf/)
[ Brad Slavin ](/authors/brad-slavin/)
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin)
## Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.
[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/)
## Related Articles
[ Intermediate 8m Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[ Intermediate 4m Getting Rid of Common SPF Errors for Email Security and Delivery Dec 20, 2023 ](/blog/getting-rid-of-common-spf-errors-for-email-security-and-delivery/)[ Intermediate 6m The Definitive Guide To Configuring SPF and DKIM for Salsa Labs Jan 12, 2026 ](/blog/how-to-configure-spf-and-dkim-in-salsa-labs/)[ Intermediate How to Protect Your Email Server from Cyber Threats May 18, 2026 ](/blog/how-to-protect-your-email-server-from-cyber-threats/)
```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```
```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```
```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Doing Sender Policy Framework (SPF) delegation the right way","description":"Doing Sender Policy Framework (SPF) delegation the right way from DMARC Report explains practical steps for email authentication, domain protection.","url":"https://dmarcreport.com/blog/doing-sender-policy-framework-spf-delegation-the-right-way/","datePublished":"2024-08-16T12:37:26.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-08-16T12:37:26.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/doing-sender-policy-framework-spf-delegation-the-right-way/"},"articleSection":"intermediate","keywords":"SPF","wordCount":1169,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg","caption":"Doing Sender Policy Framework (SPF) delegation the right way","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```
```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Doing Sender Policy Framework (SPF) delegation the right way","item":"https://dmarcreport.com/blog/doing-sender-policy-framework-spf-delegation-the-right-way/"}]}
```