An SPF record exists for one technical reason: to tell receiving mail servers which senders may use a domain's name. But because every SaaS tool that sends email on a company's behalf must be listed there, the record doubles as a signed inventory of the company's email stack — readable by anyone, updated whenever the stack changes, and impossible to fake without breaking their own mail. As of the 2026-07-05 snapshot of our daily Tranco top-1M scan, 623,370 domains publish SPF. For an SDR, that is pre-call research infrastructure hiding in plain sight.
The 60-second read
Pull the record:
$ dig +short TXT prospect-company.com | grep spf1
"v=spf1 include:_spf.google.com include:sendgrid.net
include:mail.zendesk.com include:amazonses.com ~all"Then parse it in three passes:
- Who sends their human mail? An
include:_spf.google.comorinclude:spf.protection.outlook.comtells you the mailbox provider — and therefore which spam filter will judge your own outreach (cross-check with the MX, per our MX guide). - Who sends their machine mail? Each further include is a product decision: SendGrid or Amazon SES for transactional, Mailchimp or Brevo for marketing, Zendesk for support, Salesforce for CRM sends. Every one is a tool they evaluated, bought, and wired into production.
- How is the record built? Structure — not just contents — carries signal. More on that below.
Multi-ESP is the norm, and that is the insight
Because most companies authorise several senders, ESP shares in our dataset sum comfortably past 100% of SPF domains. The leaders as of the same snapshot: Amazon SES at 6.21% (up 2.2× since 2022's 2.86%), SendGrid at 4.75%, and Mailgun at 4.10%.
For discovery, the combination matters more than any single vendor. A domain with Google Workspace + SES + Zendesk is an engineering-led company running its own product notifications. Google Workspace + Mailchimp and nothing else suggests a marketing-led SMB with no transactional depth. Workspace alone means email is not yet a system they invest in — which may be exactly your opening. Our anatomy of a healthy multi-ESP stack maps the common patterns.
Reading maturity from the record's shape
The qualifier at the end
The record's final token says how strictly the company polices its own name: -all (hard fail for unlisted senders) signals a tight operation; ~all (soft fail) is the common pragmatic default; ?all or +all means effectively no enforcement — a security-hygiene data point worth remembering if you sell anything adjacent to email or security.
Subdomain discipline
Mature senders separate streams: marketing mail from news.company.com, product mail from mail.company.com, keeping the apex record short and each stream's reputation isolated. If the apex SPF is a kitchen sink of eight includes, the email program likely grew without an owner — and note that our scan classifies by apex SPF, so subdomain-only vendors will not show in the apex record you pull.
Flattening and the 10-lookup ceiling
SPF allows at most 10 DNS lookups per evaluation; overflowing it breaks authentication with a PermError. Companies near the ceiling either prune vendors or "flatten" the record into raw IP blocks, usually with dedicated tooling. A flattened record therefore signals a company that hit real scale in email — while also hiding its vendors from you (a measurement honesty problem we dissect in our flattening article).
The point is never to recite DNS at a prospect. It is to walk in with the right hypothesis: the incumbent named, the maturity level guessed, two discovery questions replaced by sharper ones. The aggregate context — which senders are growing, what a typical stack looks like in your ICP's segment — is in the daily email infrastructure report, refreshed nightly.
And the same record cuts both ways: your prospects' filters read your SPF exactly this closely. Before the next sequence launches, check your own record's qualifier, lookup count and alignment — then confirm the result the empirical way, with a placement test that shows which folder your mail actually reaches.