Create a TXT record at yourdomain.com beginning with v=spf1; list mechanisms in priority order and end with either -all (fail) or ~all (softfail).
Use ip4: and ip6: literals for IP ranges you control directly—these cost zero DNS lookups and are the most reliable mechanism type.
Use include: only for third-party ESPs that publish their own SPF records; each include: costs one lookup, and any nested includes inside those records also count toward your 10-lookup total.
Audit your record with a tool such as MxToolbox SPF Check or dmarcian SPF Surveyor to count total lookups; the RFC 7208 limit is exactly 10—a permerror is returned if exceeded, causing SPF to fail.
Avoid the ptr: mechanism entirely (slow, unreliable, deprecated in RFC 7208) and avoid a: or mx: against large MX record sets that themselves trigger additional lookups.
Keep a record of every include: and the ESP it represents; when you offboard a vendor, remove its include: immediately to free up lookup budget.
Known gotchas
The lookup limit counts recursive lookups, not just top-level mechanisms; an include: that internally uses three more include: statements costs four lookups total against your budget.
An SPF record that exceeds 255 characters in a single string must be split into multiple quoted strings within the same TXT record—most DNS UIs handle this automatically but some require manual splitting.
Multiple TXT records for the same name that both start with v=spf1 cause a permerror; you must have exactly one SPF TXT record per DNS name.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp