Doing Sender Policy Framework (SPF) delegation the right way

Compliance is driving a lot of the DMARC adoption we see, says Vasile Diaconu, Operations Lead at DuoCircle. PCI DSS v4.0, Google’s sender requirements, Microsoft’s May 2025 enforcement - our support team fields questions about these mandates daily. The organizations that moved early are already at p=reject. The rest are scrambling.

Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a PermError that fails authentication for every message from the domain. DMARC Report

Doing Sender Policy Framework (SPF) delegation the right way

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-15006">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/08/Doing-Sender-Policy-Framework-SPF-delegation-the-right-way.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M19S">2:19</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-15006" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-15006" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-15006" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-15006" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/?post_type=post&p=15006&t=Doing Sender Policy Framework (SPF) delegation the right way" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/?post_type=post&p=15006&url=Doing Sender Policy Framework (SPF) delegation the right way" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/08/Doing-Sender-Policy-Framework-SPF-delegation-the-right-way.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/?post_type=post&p=15006" class="input-link input-link-15006" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-15006" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-15006” readonly/>

					<button class="copy-embed copy-embed-15006" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

At times, you need an external party to handle the exchange of emails on your behalf. Now, since you can’t afford to overlook email authentication done through **SPF, DKIM, and DMARC , you need to give control of a few DNS records so that everything works properly.

This blog specifically shares how domain owners can do SPF delegation to give control of their **TXT SPF record to third-party vendors , allowing them to legitimately send emails on your behalf. Please note that SPF delegation is a one-time process and should not be ignored if you don’t want to impact your domain’s email deliverability and

business communications

at various levels.

**Getting started with SPF delegation To begin with, you have to add the IP address of your

website’s hosting server . Doing this is safe until the **hosting server goes down because then all the outgoing emails will fail to reach the intended recipients and bounce back to the sender’s inbox with a message of ‘failed delivery.’

Since SPF, DKIM , and DMARC are designed to be compatible with each other, SPF delegation doesn’t trigger any issues with DKIM and DMARC . In fact, at times, DKIM also uses SPF delegation to allow third parties to send emails on your behalf . If DKIM doesn’t use SPF delegation, then the possibility of your emails failing SPF and DKIM checks increases, placing your emails in recipients’ spam folders , or worse, having them bounced back to you only. Other discrepancies and policy conflicts also **trigger delivery failures.

**Prepping your domain for SPF delegation Fortunately, configuring your domain for

**SPF delegation isn’t a tough job; just follow these steps, and you will be good to go-

1. Open the DNS manager and navigate to the menu bar.

2. Select the domain that requires an update .

3. In the

SPF delegation overview

, modify the SPF record as follows:

• **a record : Add the ‘a’ record, entering 32 in the IPv4 CIDR column and 128 in the IPv6 CIDR column.

• **mx record : Add the ‘mx’ record, entering 32 in the IPv4 CIDR column and 128 in **the IPv6 CIDR column .

• **include : Insert all necessary ‘include’ statements, ensuring that only the specified values are included .

• **ipv4 : List all **IPv4 addresses . If the IPv4 entry specifies a range (e.g., /22), enter 22 in the ‘CIDR’ column. If no range is listed, enter 32 in the ‘CIDR’ column.

• **ipv6 : List all IPv6 addresses . If the IPv6 entry specifies a range (e.g., /36), enter 36 in the ‘CIDR’ column. If no range is listed, enter 128 in the ‘CIDR’ column.

• **Policy : Choose either a soft fail (~all) or a hard fail (-all). For beginners and domains with significant email traffic , a soft fail setting is recommended.

4. Once you’ve made these changes, click ‘Save’ and publish the record in the DNS manager.

5. At the bottom of the page, a DNS entry will be generated, which needs to be published in your domain’s DNS records .

6. After publishing, your SPF record will be hosted and managed directly through the DNS manager, eliminating the need for an

external DNS manager

.

**Pointers to keep in mind Take care of the following things while you perform the above-listed steps-

Syntax

The syntax should be used with the rules, otherwise, they don’t work as intended. Inappropriate **use of syntax leads to errors in an SPF record, hindering its ability to stop phishing and spoofing attacks .

The improper use of syntax also results in more **DNS lookups which gets counted towards the limit of 10 DNS lookups. If your SPF record exceeds this limit, you can use the automatic SPF flattening tool .

**Length limits

An **SPF TXT record is restricted to have a 255-character limit imposed by RFC for compatibility, security, and DNS protocol constraints. SPF records that increase the limit lead to complexities and induce the probability of human errors, non-uniformities, and conflicts. We suggest you use multiple records if necessary.

**Order of entries

Here’s the typical order of entries for a valid SPF record- version, mechanisms (include, a, mx, ip4,ip6, and ptr), modifiers, qualifiers, all mechanisms (~all or -all).

For example-

v=spf1 ip4:192.168.0.1 include:example.com -all

This example indicates that only the specified IP address and those included from example.com are allowed to send emails on behalf of the domain, while all others will fail the **SPF check .

**Reliable service provider

Ensure your

service provider

is reputable because delegating your SPF record to an **external vendor makes your domain susceptible to attacks.

**Regulatory compliances

Several compliances like GDPR and CAN-SPAM require businesses to deploy preventive measures against phishing and spoofing. If your SPF record is not correctly **configured and managed , your business could be subject to litigation.