What you'll learn
- • What SPF is and why it's critical for email security
- • How to create a valid SPF record
- • SPF syntax and mechanisms explained
- • How to authorize email servers to send on your behalf
- • Best practices and common pitfalls to avoid
What is SPF?
SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It prevents spammers from sending emails with forged "From" addresses using your domain.
When an email is received, the receiving server checks the SPF record published in your DNS to verify that the sending server is authorized to send email for your domain. If the server isn't listed, the email may be marked as spam or rejected.
How SPF Works
Email is sent from your domain
An email server attempts to send an email claiming to be from @yourdomain.com
Receiving server checks SPF record
The receiving server looks up your domain's SPF record in DNS
Server IP is validated
The sending server's IP address is checked against your authorized list
Email passes or fails SPF check
If authorized, email passes; if not, it may be rejected or marked as spam
Step 1: Identify Your Email Sources
Before creating an SPF record, identify all services that send email on behalf of your domain:
- Your email provider - Google Workspace, Microsoft 365, etc.
- Marketing platforms - Mailchimp, SendGrid, Constant Contact
- Transactional email services - AWS SES, Postmark, Mailgun
- CRM systems - Salesforce, HubSpot
- Help desk software - Zendesk, Freshdesk
- Your own mail servers - If you host email yourself
Step 2: Create Your SPF Record
An SPF record is a TXT record that starts with v=spf1 and includes mechanisms that define authorized senders.
Basic SPF Record Structure
v=spf1 include:_spf.google.com ~allBreaking it down:
- •
v=spf1- SPF version identifier (required) - •
include:_spf.google.com- Include Google's authorized servers - •
~all- Soft fail for all other servers (recommended)
Common SPF Mechanisms
| Mechanism | Purpose | Example |
|---|---|---|
include: | Include another domain's SPF policy | include:_spf.google.com |
ip4: | Authorize specific IPv4 address | ip4:192.0.2.1 |
ip6: | Authorize specific IPv6 address | ip6:2001:db8::1 |
a | Authorize domain's A record IPs | a:mail.example.com |
mx | Authorize domain's MX record IPs | mx |
SPF Qualifiers
| Qualifier | Result | Recommendation |
|---|---|---|
+ | Pass (default) | For authorized servers |
~ | Soft Fail | Recommended for ~all |
- | Fail (Hard Fail) | Only use -all when certain |
? | Neutral | Rarely used |
Example SPF Records
Google Workspace Only
v=spf1 include:_spf.google.com ~allMicrosoft 365 Only
v=spf1 include:spf.protection.outlook.com ~allMultiple Services
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~allGoogle Workspace + SendGrid + specific IP
With MX Records
v=spf1 mx include:_spf.google.com ~allAuthorize your MX servers and Google
Step 3: Add SPF Record to DNS
Add your SPF record as a TXT record at the root of your domain:
Hostname:
@ (or leave blank for root domain)Record Type:
TXTValue:
v=spf1 include:_spf.google.com ~allImportant SPF Rules
- • Only ONE SPF record per domain (multiple records will break SPF)
- • Maximum 10 DNS lookups (includes, a, mx mechanisms count as lookups)
- • Maximum 512 characters (though most DNS providers support longer)
- • Always end with
~allor-all
Step 4: Verify Your SPF Record
After adding your SPF record, verify it's working correctly:
Best Practices
1. Start with Soft Fail (~all)
Use ~all initially to monitor without risking legitimate email delivery. After confirming everything works, you can switch to -all (hard fail) for stricter enforcement.
2. Keep Under 10 DNS Lookups
Each include:, a, mx, and redirect: mechanism counts toward the 10 lookup limit. Exceeding this limit causes SPF to fail.
3. Use IP Addresses When Possible
ip4: and ip6: mechanisms don't count toward the DNS lookup limit. If you have static IPs, use them instead of includes.
4. Document Your SPF Record
Keep a list of all services included in your SPF record and why they're there. This makes updates easier and prevents accidentally removing authorized senders.
Troubleshooting
SPF Record Not Found
- Verify the record is at the root domain (@), not a subdomain
- Check that it's a TXT record type
- Wait 15-30 minutes for DNS propagation
- Ensure there are no typos in
v=spf1
Too Many DNS Lookups
- Replace
include:mechanisms withip4:orip6:where possible - Remove unused email services from your SPF record
- Consider using SPF flattening tools (with caution)
- Contact service providers for their specific IP ranges
Multiple SPF Records Error
- You can only have ONE SPF record per domain
- Combine all mechanisms into a single record
- Remove duplicate SPF TXT records from DNS
Next Steps
Once your SPF record is set up, complete your email authentication by setting up DKIM and DMARC.