--- title: "Learning to perform SPF delegation for enhanced email delivery | DuoCircle" description: "Learning to perform SPF delegation for enhanced email delivery." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/" --- Quick Answer SPF delegation lets a domain owner authorize an external sender (a third-party vendor or external mail server) to send on the domain's behalf without failing authentication. It is a one-time DNS edit that does not interfere with DKIM or DMARC. Steps: open DNS manager, edit the SPF TXT record, set the 'a' mechanism CIDR to 32 (IPv4) and 128 (IPv6), add 'mx' with the same CIDRs, add include: statements for each authorized sender, list IPv4 addresses (CIDR 32 if no range) and IPv6 addresses (CIDR 128 if no range), end with \~all (softfail) for new domains or -all (hardfail) for mature ones, save, publish, and test with an SPF lookup tool. Stay under the 255-character record limit and the 10-DNS-lookup limit, the two constraints that most often break SPF in production. Learning to perform SPF delegation for enhanced email delivery Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2024/07/Learning-to-perform-SPF-delegation-for-enhanced-email-delivery.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Flearning-to-perform-spf-delegation-for-enhanced-email-delivery%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Learning%20to%20perform%20SPF%20delegation%20for%20enhanced%20email%20delivery&url=undefined%2Fblog%2Femail-security%2Flearning-to-perform-spf-delegation-for-enhanced-email-delivery%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Flearning-to-perform-spf-delegation-for-enhanced-email-delivery%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Flearning-to-perform-spf-delegation-for-enhanced-email-delivery%2F&title=Learning%20to%20perform%20SPF%20delegation%20for%20enhanced%20email%20delivery "Share on Reddit") [ ](mailto:?subject=Learning%20to%20perform%20SPF%20delegation%20for%20enhanced%20email%20delivery&body=Check out this article: undefined%2Fblog%2Femail-security%2Flearning-to-perform-spf-delegation-for-enhanced-email-delivery%2F "Share via Email") ![DuoCircle blog post image](https://media.mailhop.org/duocircle/images/2024/07/spf-flattening-1234.jpg) The SPF delegation method is for domain owners who authorize an **external email server** to send emails on their behalf without having them fail the [email authentication](/resources/email-authentication) checks. This requires you to make some alterations to the existing SPF record. ## What is SPF delegation? SPF delegation is a **one-time activity** performed by a domain owner to give control of their existing [SPF record](/content/spf-records) to an external email server or [third-party vendor](https://www.ncontracts.com/nsight-blog/what-is-a-third-party-vendor) who is officially allowed to send emails as one of the representatives of their organization. _This whole effort ensures that genuine emails sent by authorized outsiders don’t get marked as spam or [bounce back](https://woodpecker.co/blog/why-emails-bounce-10-most-common-issues/) due to authentication issues._ SPF delegation doesn’t interfere with the working of DKIM and [DMARC](/email/dmarc). In fact, sometimes, **DKIM itself uses SPF delegation** to let authorized third-party IP addresses be used to send emails. [![SPF delegation](https://media.mailhop.org/duocircle/images/2024/07/sp-permerror-5678.jpg)](https://media.mailhop.org/duocircle/images/2024/07/sp-permerror-5678.jpg) ## How is SPF delegation done? To perform SPF delegation for an outsider, you have to mention their IP addresses in a **TXT-format record** at the start of your DNS zone file. This ensures their messages are treated as per the [SPF softfail](/what-is-spf-softfail) mechanism (represented by \~all) and not the SPF hardfail mechanism (represented by -all). Here are the steps to go about it- 1. Go to your [DNS manager](https://beehosting.pro/what-is-a-dns-manager/) and **choose the domain** for which you have to do SPF delegation. 2. Make the following changes to your SPF record- - - **‘a’ record**: Enter 32 and 128 in the IPv4 and IPv6 CIDR columns, respectively. - **‘mx’ record**: Add the [mx record](https://en.wikipedia.org/wiki/MX%5Frecord) and mention 32 and 128 in the IPv4 and IPv6 CIDR columns, respectively. - **‘include’ statements**: _Add all the necessary ‘include’ statements and ensure only the specified values are mentioned._ - **IPv4 addresses**: List all the [IPv4 addresses](https://www.cloudns.net/blog/what-is-ipv4-everything-you-need-to-know/). If the IPv4 entry specifies a range (e.g., /22), enter 22 in the CIDR column. However, enter 32 in the [CIDR](https://aws.amazon.com/what-is/cidr/) column if no range is mentioned. - **IPv6 addresses**: List all the [IPv6 addresses](https://www.techtarget.com/iotagenda/definition/IPv6-address). If the IPv6 entry specifies a range (e.g., /36), enter 36 in the CIDR column. However, enter 128 in the CIDR column **if no range is mentioned**. - **Policy**: Set the policy to either softfail (\~all) or hardfail (-all). For beginners and domains with heavy email traffic, setting the SPF records to **softfail is recommended**. - **Exchange SPF check**: After completing the setup, click ‘Save’ and publish the record on DNS. A DNS entry will be generated at the bottom of the page, which you need to add to your domain’s [DNS record](/data-privacy/dns-record-types-defined-and-explained/). - **Publishing and testing**: After adding the DNS entry, your SPF record will be hosted and managed within the DNS manager. Use [SPF testing tools](/content/spf-record-tester/kitterman-spf) to ensure it is configured correctly and that emails are appropriately authenticated. [![email security](https://media.mailhop.org/duocircle/images/2024/07/spf-record-tester.jpg)](https://media.mailhop.org/duocircle/images/2024/07/spf-record-tester.jpg) ## Final words Please ensure you stay within the **character limit of 255** and lookup limit of 10; people often oversee these criteria, triggering [SPF validation](/content/spf-validation-failed) issues. SPF, [DKIM](/resources/what-is-dkim), and DMARC complement each other and should be used as a set of three for **maximum protection** against [phishing](https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html), [spoofing](https://www.scmagazine.com/brief/video-spoofing-malware-distributed-via-telegram-for-android-zero-day), [ransomware](https://www.newsbytesapp.com/news/science/largest-trial-court-in-us-gets-hit-by-ransomware-attack/story), etc. For optimal [email security](/), [our experts can help you get started](/contact) with email authentication or fix the existing SPF, DKIM, and DMARC records. ## Topics DKIMDMARCemail securityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 8m Configuring DKIM to sign mail from your Microsoft 365 domain Jun 27, 2024 ](/blog/email-security/configuring-dkim-sign-mail-from-your-microsoft-365-domain/)[ Email Security 8m A roundup of TLDs that were the prime target of cyber attackers in 2024 Nov 19, 2024 ](/blog/email-security/prime-tlds-targeted-by-cyber-attackers-in-2024-roundup/)[ Email Security 8m Designing A Custom Dkim Architecture For High-Volume Email Senders Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[ Email Security 12m DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Learning to perform SPF delegation for enhanced email delivery","description":"Learning to perform SPF delegation for enhanced email delivery.","url":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/","datePublished":"2024-07-24T16:36:30.000Z","dateModified":"2025-04-29T10:39:50.000Z","dateCreated":"2024-07-24T16:36:30.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Updates","wordCount":529,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-flattening-1234.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Learning to perform SPF delegation for enhanced email delivery","item":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Learning to perform SPF delegation for enhanced email delivery","item":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Learning to perform SPF delegation for enhanced email delivery","description":"Learning to perform SPF delegation for enhanced email delivery.","url":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/","datePublished":"2024-07-24T16:36:30.000Z","dateModified":"2025-04-29T10:39:50.000Z","dateCreated":"2024-07-24T16:36:30.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/learning-to-perform-spf-delegation-for-enhanced-email-delivery/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email security, Updates","wordCount":529,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/07/spf-flattening-1234.jpg","caption":"DuoCircle blog post image","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```