6 best SPF tools for enterprise organizations in 2026

Why Red Sift is the enterprise choice: Red Sift's free SPF Checker gives you instant, visual SPF analysis with no signup. The full OnDMARC platform then solves the 10-lookup limit permanently with Dynamic SPF, gets enterprise organizations to full DMARC enforcement in 6-8 weeks, and is rated 4.9/5 on G2 across 1,200+ organizations.

SPF (Sender Policy Framework) is an email authentication protocol that tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. It's defined in RFC 7208 and works by publishing a DNS TXT record that lists your authorized senders [1].

The concept is simple. The reality for enterprises? Not so much.

A typical enterprise uses 8-15 distinct email-sending services: Google Workspace or Microsoft 365 for corporate email, Salesforce for CRM notifications, HubSpot or Marketo for marketing, Zendesk for support tickets, and a handful more for billing, HR, and transactional messages [2]. Every one of those services needs to be authorized in your SPF record. And SPF allows a maximum of 10 DNS lookups per evaluation. Go over that number and receiving servers return a PermError, which means your legitimate emails fail authentication [1].

That 10-lookup limit was set in 2006 when the original SPF standard was drafted. Back then, most organizations sent email from one or two servers. Today, a single include:_spf.google.com mechanism consumes 3-4 lookups on its own because of nested includes. Add Microsoft 365 and a couple of SaaS tools, and you're over the limit before you've finished setting up.

This is the core enterprise SPF challenge: keeping a clean, optimized SPF record as your organization scales, adds vendors, acquires companies, and expands into new regions. A broken SPF record doesn't just affect security. It affects deliverability, customer communication, and DMARC alignment.

Before comparing individual tools, here's what matters at enterprise scale:

• Accurate DNS lookup counting: The tool must recursively count all DNS-querying mechanisms (include, a, mx, ptr, exists, redirect) and clearly show whether you're within the 10-lookup limit. Nested lookups from third-party includes need to be visible, not hidden.
• SPF tree visualization: Enterprise SPF records are deep and branched. A flat text output isn't enough. You need to see which includes trigger which lookups, where duplicate netblocks exist, and where bloat is coming from.
• Syntax and error detection: Common enterprise mistakes include duplicate SPF records, deprecated mechanisms like ptr, records that don't start with v=spf1, and mechanisms placed after the all directive. The tool should flag all of these clearly.
• 10-lookup limit management: Checking your record is one thing. Fixing it is another. Enterprise organizations need tools that go beyond diagnostics and actually solve the lookup limit, either through dynamic flattening, macro-based approaches, or subdomain segmentation guidance.
• Multi-domain support: Enterprises typically manage dozens or hundreds of domains, including acquired brands, regional variants, and subdomains. Your SPF tool needs to handle this scale without per-domain licensing gymnastics.
• Integration with broader email authentication: SPF doesn't exist in isolation. It works alongside DKIM and DMARC. The best enterprise tools provide visibility across all three protocols and show how SPF alignment affects your DMARC posture.
• Ongoing monitoring and alerting: SPF records change when vendors rotate IP addresses, when teams add new services without telling IT, or when DNS propagation introduces errors. Enterprise organizations need continuous monitoring, not one-off checks.

Best for: Enterprise organizations wanting complete SPF management with guided implementation and Dynamic SPF

Red Sift offers two entry points for SPF validation. The free SPF Checker provides instant record analysis with no signup, while the full OnDMARC platform delivers enterprise-grade SPF management including the industry's only Dynamic SPF technology.

Key features:

• Interactive SPF tree visualization showing every mechanism, lookup, and nested include in a clickable, color-coded diagram
• Real-time DNS lookup counter with clear pass/fail against the 10-lookup threshold
• Void lookup detection (the lesser-known 2-void-lookup limit that most tools ignore)
• SubdoMailing attack detection, identifying compromised includes that leave your domain open to spoofing [3]
• Syntax validation covering duplicate records, deprecated mechanisms, and misconfigured qualifiers
• Full DMARC, DKIM, BIMI, and MTA-STS analysis available through Red Sift Investigate

Why enterprises choose Red Sift OnDMARC:

The free SPF Checker is the strongest standalone diagnostic tool on this list. But where Red Sift pulls ahead is what happens after you find problems.

Dynamic SPF solves the 10-lookup limit permanently. Instead of traditional SPF records that reference third-party domains (each consuming lookups), Dynamic SPF maintains a single, optimized record that Red Sift automatically updates in real time. When a vendor like Google or Microsoft rotates their sending IPs, Red Sift detects the change and updates your record within minutes. No manual flattening. No stale IP addresses breaking authentication overnight [4].

For enterprises managing complex email environments, this is a game changer. You can add as many email-sending services as your business needs without worrying about hitting the 10-lookup limit. Your IT and security teams don't need to manually monitor vendor IP changes or maintain spreadsheets of SPF includes.

OnDMARC also provides guided DMARC implementation that gets enterprise organizations to full enforcement (p=reject) in 6-8 weeks, which is the fastest in the industry. The platform discovers all your email-sending services (including ones you forgot about), shows exactly how to configure each one, and alerts you immediately if something breaks.

Beyond SPF:

• Red Sift Radar uses AI to analyze DMARC reports and suggest fixes, making troubleshooting 10x faster than reading raw XML
• DNS Guardian monitors for subdomain vulnerabilities attackers could exploit
• Brand Trust alerts you to lookalike domains registered to impersonate your business

Pricing: Flexible enterprise pricing. Start with the free SPF Checker and Investigate tools (no signup), then access a 14-day OnDMARC trial to experience Dynamic SPF and guided implementation.

Best use case: Enterprise organizations running 5+ email-sending services that need to solve the 10-lookup limit permanently and want a single platform for SPF, DKIM, DMARC, BIMI, and MTA-STS management.

Best for: Quick SPF validation during DNS changes

MXToolbox has been a staple DNS diagnostic tool for years. Its SPF checker is fast, free, and requires zero setup.

Key features:

• Instant SPF record lookup and validation
• DNS lookup count display
• Void lookup detection
• Detection of duplicate records, deprecated mechanisms, and syntax errors
• Detection of characters after the all directive
• Part of a broader DNS diagnostic suite (MX, DMARC, blacklist, SMTP)

Why enterprises use MXToolbox:

MXToolbox is the tool IT teams reach for when they need a quick sanity check. Published a new SPF record? Run it through MXToolbox to confirm the syntax is correct. Troubleshooting a deliverability issue? Check whether the SPF record is valid. It's the equivalent of a spell-checker for your DNS records.

The broader MXToolbox ecosystem includes email delivery tools, blacklist monitoring, and SMTP diagnostics. Paid plans add monitoring and alerting, which is useful for teams that want notification when DNS records change.

Limitations for enterprise use:

MXToolbox doesn't offer SPF tree visualization, so you can't see the branching structure of complex enterprise records. There's no SPF flattening or dynamic management. The interface shows results but doesn't guide you through fixing problems. And if your enterprise has dozens of domains, you'll be checking them one at a time.

Pricing: Free for one-off checks. Paid monitoring plans start from $129/month for their Delivery Center product.

Best use case: IT teams that need a fast, no-signup validation tool for spot-checking SPF records after DNS changes. Not a replacement for ongoing SPF management at enterprise scale.

Best for: Google Workspace environments validating SPF configuration

Google's Admin Toolbox includes a Check MX tool that validates DNS records, including SPF, for domains using Google Workspace.

Key features:

• SPF record validation with effective address range display
• Checks whether Google servers are properly authorized in SPF
• DKIM and DMARC validation in the same tool
• MTA-STS record checking
• NS record consistency verification across name servers
• Flags deprecated mechanisms and common misconfigurations

Why enterprises use Google Admin Toolbox:

If your enterprise runs Google Workspace, this tool confirms your SPF record properly authorizes Google's sending infrastructure. It expands your SPF includes into effective IP address ranges, showing exactly which IPs are authorized. And it checks broader DNS health in a single pass (MX records, DKIM, DMARC, MTA-STS, NS consistency).

Google's own support documentation references this tool for SPF troubleshooting [5], making it a trusted reference point for Google Workspace administrators.

Limitations for enterprise use:

The tool is designed for Google Workspace environments, so it flags issues from that perspective. It won't give you the same depth of SPF-specific analysis as a dedicated SPF tool. There's no SPF tree visualization, no flattening capability, and no ongoing monitoring. The interface is minimal, which is fine for quick checks but limiting for complex enterprise records with 15+ includes.

Pricing: Free.

Best use case: Google Workspace administrators confirming SPF and broader DNS record configuration. Use alongside a dedicated SPF tool for complete enterprise coverage.

Best for: Enterprises wanting automated, macro-based SPF management with a patented approach

Valimail offers a free SPF checker alongside its Instant SPF technology, a patented approach to solving the 10-lookup limit using SPF macros rather than traditional flattening.

Key features:

• Free domain checker that validates SPF, DMARC, and BIMI status in a single report
• Clear "Protected" or "Not Protected" status indicator with no technical jargon
• DNS lookup counter that flags when the 10-lookup limit is exceeded
• Detection of overly permissive IP ranges that could allow spoofing
• Instant SPF (paid) using patented macro-based technology that generates SPF responses dynamically per email
• Free DMARC monitoring tier (Valimail Monitor) with SPF lookup tracking per domain

Why enterprises use Valimail:

Valimail's Instant SPF takes a fundamentally different approach to the lookup limit. Instead of flattening includes into static IP lists, it uses SPF macros to dynamically generate the correct SPF response at evaluation time, returning only the specific authorization needed for a given sending service. This means the record is always current, never stale, and never exceeds the lookup limit regardless of how many services you use.

The free Monitor tier is a strong entry point. It provides DMARC reporting with sender visibility and includes SPF lookup counting across all your domains, so you can spot lookup-limit problems before they affect deliverability. Valimail claims to have helped over 100,000 organizations secure their domains.

Valimail also has strong Microsoft 365 integration. The platform provides automated service discovery for M365 environments, making it easier to identify all sending sources without manual auditing.

Limitations for enterprise use:

The free SPF checker is solid but doesn't offer visual SPF tree analysis. You get a pass/fail with explanations, but not the interactive tree view that helps debug complex enterprise records. Instant SPF is only available on paid tiers (Valimail Enforce), and pricing isn't published, requiring a sales conversation. The macro-based approach also creates a dependency on Valimail's infrastructure: your SPF resolution runs through their servers, so you're trusting their uptime and their DNS performance.

Pricing: Free domain checker and Monitor tier. Instant SPF is part of the paid Enforce product (contact sales for pricing).

Best use case: Enterprises already in the Microsoft 365 ecosystem that want automated SPF management and are comfortable with a sales-led procurement process. The free Monitor tier is a good way to evaluate before committing.

Best for: SPF validation with built-in record flattening

DMARCLY's SPF checker combines record validation with a record flattening feature, making it useful for enterprises dealing with the 10-lookup limit.

Key features:

• SPF record validation with syntax checking
• DNS lookup counter
• Built-in SPF record flattening (converts includes to IP addresses in the tool output)
• Clear display of individual SPF mechanisms and their resolved IP addresses
• Safe SPF paid feature for automatic/dynamic SPF flattening

Why enterprises use DMARCLY:

The standout feature is the free flattening: paste your domain, and DMARCLY shows you what a flattened version of your SPF record would look like with all includes resolved to IP addresses. This gives enterprise teams immediate visibility into what their record looks like "expanded" and helps identify which includes consume the most lookups.

DMARCLY's Safe SPF (paid) automates the flattening process, automatically updating the flattened record when upstream providers change their IPs. This addresses the main weakness of manual flattening, where records go stale when vendors rotate IP addresses.

Limitations for enterprise use:

The free checker is a standard text-based validator without visual tree representation. The flattened record output is helpful, but manual flattening (without the paid Safe SPF) introduces maintenance risk since ISP IP addresses change regularly. The broader DMARCLY platform covers DMARC and DKIM, but it's less feature-rich than enterprise-focused platforms when it comes to guided implementation, multi-domain management at scale, and advanced threat detection.

Pricing: Free for the SPF checker tool. Paid platform plans start with a 14-day free trial.

Best use case: Enterprise teams that want to understand what their SPF record looks like when fully expanded and are evaluating whether dynamic flattening is needed.

Best for: SPF management with built-in flattening and a broader DMARC platform

Sendmarc provides a suite of free DNS checker tools alongside a paid platform that includes SPF management, SPF flattening (which they call SPF Optimization), DKIM, and DMARC enforcement.

Key features:

• Free SPF record checker that validates syntax, authorized IPs, and third-party includes
• Free SPF policy tester that checks specific IP addresses against a domain's SPF record
• DNS lookup counter showing total lookups and whether the limit is exceeded
• SPF Optimization (paid) that automatically resolves all includes to IP addresses when the lookup limit is reached
• Continuous monitoring that detects provider IP changes and updates flattened records automatically
• Broader platform covering DMARC enforcement, DKIM management, and reporting

Why enterprises use Sendmarc:

Sendmarc's SPF Optimization feature takes a practical approach to flattening. When your record hits the 10-lookup limit, it automatically resolves all DNS-querying mechanisms down to IP addresses and publishes the optimized version. The resolution runs continuously, so when a provider like Google or Microsoft changes their sending IPs, Sendmarc catches it and updates the record. No manual DNS editing required.

The free tools are functional if basic. The SPF record checker fetches your record and displays authorized senders, syntax issues, and lookup counts. The SPF policy tester goes a step further by letting you test a specific IP address against the record, useful for verifying whether a particular sending service is properly authorized.

Sendmarc's paid platform extends beyond SPF into full DMARC enforcement with reporting, which means enterprises don't need a separate DMARC tool. The company positions itself as a complete email authentication provider rather than an SPF-only solution.

Limitations for enterprise use:

The free SPF tools are straightforward checkers without visual tree analysis or SubdoMailing detection. SPF Optimization is only available to paying customers using Sendmarc's managed SPF feature, so you can't access the flattening on the free tier. The platform is younger and less established than some competitors, with a limited G2 review base (making independent comparison harder). Published pricing requires a demo conversation, and the company lacks the third-party validation depth of more established vendors like Red Sift or Valimail.

Pricing: Free checker tools. Paid platform with SPF Optimization requires a demo (pricing not publicly listed).

Best use case: Enterprises looking for a combined SPF management and DMARC enforcement platform who want flattening built into a broader toolset rather than a standalone SPF-only solution.

1-5 email-sending services (simple record): Any tool on this list handles basic validation. Start with Red Sift's free SPF Checker for visual tree analysis, and use MXToolbox or Google Admin Toolbox for quick spot checks.

5-10 email-sending services (approaching the limit): You're likely at or near the 10-lookup threshold. Run your domain through Red Sift's SPF Checker to see your exact count, then evaluate whether you need Dynamic SPF (Red Sift OnDMARC), Instant SPF (Valimail), or Safe SPF (DMARCLY) to stay under the limit as you grow.

10+ email-sending services (over the limit): You need an active management solution. Red Sift's Dynamic SPF, Valimail's Instant SPF, DMARCLY's Safe SPF, or Sendmarc's SPF Optimization are your options. The question is whether you want a best-in-class platform (Red Sift OnDMARC) or an alternative that bundles SPF management into a broader DMARC offering.

Dedicated email security team: Red Sift OnDMARC gives them the most complete toolkit with SPF, DKIM, DMARC, BIMI, and MTA-STS in one platform. Valimail Enforce is an alternative if the team is heavily invested in Microsoft 365.

IT generalists managing email alongside other responsibilities: Red Sift OnDMARC's guided implementation reduces the learning curve. The platform tells you exactly what to fix, for which service, in what order.

Managed service provider or outsourced IT: Red Sift OnDMARC's multi-domain support and MSP program make it practical for external teams managing client domains. Sendmarc also positions itself as MSP-friendly with its combined DMARC and SPF management offering.

SPF is one piece of the puzzle. Google, Yahoo, and Microsoft now require SPF, DKIM, and DMARC for bulk senders [6]. Microsoft started enforcing these requirements in May 2025, joining Google and Yahoo who have been enforcing since 2024 [7]. If you're solving SPF in isolation, you're doing half the work.

Red Sift OnDMARC covers the complete stack. The other tools on this list handle SPF specifically, and you'll need to pair them with separate DMARC and DKIM tools.

• Why this happens: Each SaaS tool your organization adopts adds SPF includes. A few acquisitions later, you're unknowingly over the limit. A single include:_spf.google.com consumes 3-4 lookups due to nested includes. Add Microsoft 365, Salesforce, and HubSpot, and you're past 10 before you've covered half your sending services.
• The impact: Receiving servers return a PermError, and your legitimate emails fail SPF authentication. Because PermError is a permanent failure, DMARC treats it as a fail regardless of your policy [1]. Emails get quarantined or rejected.
• How to fix it: Run your domain through Red Sift's SPF Checker to see your exact lookup count. If you're over 10, implement Dynamic SPF through Red Sift OnDMARC or evaluate flattening options. For a deeper dive, read Red Sift's guide to beating the 10-lookup limit.

• Why this happens: A new team adds an SPF record for their email tool without realizing one already exists. Or an old record from a previous email provider is left behind after migration.
• The impact: RFC 7208 requires one SPF record per domain. Two records cause a PermError, and every email from your domain fails SPF [1].
• How to fix it: Query your domain's TXT records and look for multiple entries starting with v=spf1. Merge everything into a single record. Run the merged record through Red Sift's SPF Checker to validate syntax and lookup count before publishing.

• Why this happens: The ptr mechanism is deprecated and the a and mx mechanisms are often included by default from hosting providers, even when they serve no SPF purpose for your sending infrastructure.
• The impact: ptr is unreliable and can consume significant DNS resources. Unnecessary a and mx mechanisms waste precious lookups from your 10-lookup budget and can over-authorize IP addresses that shouldn't be sending email for your domain.
• How to fix it: Audit every mechanism in your SPF record against your actual sending infrastructure. Remove ptr entirely. Remove a and mx unless those specific hosts genuinely send email. Replace them with explicit ip4 or ip6 entries where possible since these don't count against the lookup limit.

• Why this happens: SPF is often treated as a "set it and forget it" configuration. But third-party vendors change their sending IPs regularly, teams add new tools without updating SPF, and DNS records can be modified accidentally.
• The impact: SPF records drift out of alignment with actual sending infrastructure. Legitimate emails start failing intermittently, and the root cause is hard to trace because nobody's monitoring SPF status.
• How to fix it: Implement continuous monitoring through a platform like Red Sift OnDMARC that alerts you when SPF configurations change or when authentication failures spike. At minimum, schedule monthly SPF audits using Red Sift's Investigate tool.

• Why this happens: When organizations hit the 10-lookup limit, a common first response is to manually replace includes with their resolved IP addresses to eliminate DNS lookups.
• The impact: Manual flattening creates a snapshot that goes stale immediately. When Google, Microsoft, or any SaaS provider changes their sending IPs (which happens regularly), your flattened record still references the old addresses. Legitimate emails sent from the new IPs fail SPF. You're trading one problem for another.
• How to fix it: Use automated solutions that keep flattened records in sync. Red Sift's Dynamic SPF, Valimail's Instant SPF, DMARCLY's Safe SPF, and Sendmarc's SPF Optimization all automate this process. The right choice depends on whether you want a best-in-class authentication platform or a combined DMARC and SPF tool.

Visit Red Sift's SPF Checker and enter your primary domain. No signup required. You'll see your SPF record visualized as a tree, your exact DNS lookup count, any syntax errors, and whether your record contains compromised includes from attacks like SubdoMailing.

Then run your domain through Red Sift Investigate for a complete view of SPF, DKIM, DMARC, BIMI, and MTA-STS in a single report.

Are you over the 10-lookup limit? Do you have syntax errors or deprecated mechanisms? Are there includes you don't recognize? The answers determine your next move.

Path A: Full platform approach (recommended for most enterprises)

1. Sign up for a 14-day Red Sift OnDMARC trial
2. Enable Dynamic SPF to solve the 10-lookup limit permanently
3. Follow guided implementation for SPF, DKIM, and DMARC
4. Reach full DMARC enforcement in 6-8 weeks with dedicated support

Path B: Alternative platform approach

1. Use Red Sift's free SPF Checker for diagnostics
2. Evaluate Valimail Enforce (Instant SPF), DMARCLY (Safe SPF), or Sendmarc (SPF Optimization) for lookup limit management
3. Compare platform coverage across SPF, DKIM, DMARC, and BIMI

Path C: Quick validation with free tools

1. Use Red Sift SPF Checker for visual analysis
2. Use Valimail's free domain checker for a second-opinion report
3. Use MXToolbox or Google Admin Toolbox for spot checks
4. Plan for a management platform as complexity grows

1. The free tools are genuinely best-in-class. The SPF Checker provides visual tree analysis and SubdoMailing detection that no other free tool matches. Investigate checks your complete email authentication posture in a single pass. No signup. No credit card. No catch.

2. Dynamic SPF solves the enterprise problem. Most enterprises hit the 10-lookup limit. Red Sift's Dynamic SPF fixes it permanently and automatically. No manual flattening, no stale records, no vendor IP changes breaking your authentication overnight.

3. It's not just SPF. OnDMARC covers SPF, DKIM, DMARC, BIMI, and MTA-STS in one platform. Red Sift Radar uses AI to analyze reports and suggest fixes. Brand Trust monitors for lookalike domains. One platform, complete visibility.

4. 6-8 weeks to full enforcement. Red Sift gets enterprise organizations to DMARC p=reject in 6-8 weeks. Other approaches take 3-6 months. The difference: guided implementation and a dedicated Customer Success Engineering team that has done this with 1,200+ organizations.

5. G2-validated. Red Sift OnDMARC holds a 4.9/5 rating on G2 and is ranked #1 in EMEA for DMARC. Enterprise buyers can trust third-party validation, not just vendor claims.

Get started with Red Sift OnDMARC today.

[1] RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1

[2] SPF Record Analysis: The 10 Lookup Limit and How to Optimize

[3] Free SPF Checker and SPF Record Lookup

[4] SPF breakage 101: How to beat the 10 lookup limit

[5] Troubleshoot SPF issues - Google Workspace Admin Help

[6] Google and Yahoo's Bulk Sender Requirements

[7] 400,000 DMARC boost after Microsoft's high-volume sender update

The SPF specification (RFC 7208) requires that SPF evaluation must not exceed 10 DNS-querying mechanisms and modifiers per check [1]. The mechanisms that count toward this limit include include, a, mx, ptr, exists, and redirect. The mechanisms all, ip4, and ip6 do not consume lookups. Enterprise organizations routinely exceed this limit because they use many SaaS tools that each require SPF includes. When the limit is exceeded, receiving servers return a PermError and emails fail authentication.

SPF checking is a diagnostic: you input a domain and the tool validates the record syntax, counts lookups, and flags errors. SPF management goes further by continuously monitoring your record, automatically updating it when vendor IPs change, and ensuring you stay within the 10-lookup limit over time. Enterprise organizations need both. Red Sift's free SPF Checker handles diagnostics, while OnDMARC's Dynamic SPF provides ongoing management.

Manual SPF flattening is risky because it replaces dynamic includes with static IP addresses that can go stale. Automated tools (like Red Sift's Dynamic SPF, Valimail's Instant SPF, DMARCLY's Safe SPF, or Sendmarc's SPF Optimization) mitigate this risk by continuously monitoring vendor IPs and updating your record automatically. For enterprises, automated dynamic approaches are the only viable long-term option.

Most DMARC platforms include some SPF validation, but the depth varies. Red Sift OnDMARC provides comprehensive SPF management with Dynamic SPF built in. Other DMARC platforms may show SPF pass/fail rates in reports without offering SPF-specific diagnostics or lookup limit management. Check whether your platform includes visual SPF tree analysis, lookup counting, and flattening before deciding you're covered.

At minimum, monthly. Realistically, enterprises should use continuous monitoring that alerts them immediately when SPF configurations change. Teams add new email tools, vendors change IP addresses, and DNS records get modified, all without anyone thinking about SPF. Continuous monitoring catches problems before they affect deliverability.

Yes, and many enterprise teams do. A common approach: use Red Sift's SPF Checker for visual tree analysis and SubdoMailing detection, MXToolbox for quick spot checks, and Valimail's free domain checker for a second-opinion validation. For ongoing management, pair a free checker with a management platform like Red Sift OnDMARC.

SPF breaks when emails are forwarded because the forwarding server's IP isn't authorized in the original sender's SPF record. This is one reason DKIM exists: DKIM signatures survive forwarding because they're tied to the message content, not the sending IP. For enterprise organizations, this means SPF alone isn't sufficient. You need SPF, DKIM, and DMARC working together. Use Red Sift Investigate to check all three protocols at once.

Since 2024, Google and Yahoo have required bulk senders (5,000+ daily messages to their users) to have valid SPF, DKIM, and DMARC records. Microsoft joined this enforcement in May 2025 [6, 7]. Non-compliance results in emails being rate-limited, sent to spam, or permanently rejected. SPF is the first step in meeting these requirements, but enterprises need all three protocols properly configured.