SPF Record Setup Guide
Learn how to create and configure Sender Policy Framework (SPF) records to prevent email spoofing and improve deliverability.
Quick Overview
What is SPF?
Sender Policy Framework (SPF) is an email authentication standard (RFC 7208) that lets a domain owner publish, in DNS, the list of mail servers authorized to send email for that domain. When a receiving mail server accepts a message, it looks up the SPF record of the domain in the SMTP envelope sender — the MAIL FROM address, also called the Return-Path — and checks whether the connecting IP is on the authorized list.
Without SPF, any server on the internet can open an SMTP connection and claim to be sending for your domain. SPF is the first of the three core email-authentication mechanisms (SPF, DKIM, DMARC) and is a prerequisite for DMARC to be useful: DMARC can only pass via SPF when SPF both passes and aligns with the visible From: domain.
A critical point that trips up many administrators: SPF validates the envelope sender (MAIL FROM / Return-Path), not the From: header that recipients actually see. A message can pass SPF for one domain while displaying a completely different domain in the From: header — which is exactly why DMARC alignment exists.

How SPF Works
1. A sending server connects to the recipient's MX and issues MAIL FROM:<bounce@yourdomain.com>. 2. The receiving server extracts the domain (yourdomain.com) and queries DNS for its SPF record — a single TXT record at the root of that domain that starts with v=spf1. 3. The receiver evaluates each mechanism left to right against the connecting IP address. Recursive mechanisms (include:, a, mx, redirect=, exists:) trigger additional DNS lookups. 4. The first mechanism that matches the connecting IP determines the result, combined with its qualifier (+pass, ~softfail, -fail, ?neutral). If nothing matches before the all mechanism, the all qualifier applies. 5. The result — pass, fail, softfail, neutral, none, permerror, or temperror — is recorded in the Authentication-Results header and fed into DMARC evaluation.
SPF says nothing about message content and provides no cryptographic guarantee — it is purely an IP-to-domain authorization check at connection time.
SPF Record Structure
An SPF record is a single DNS TXT record published at the root of your domain. It always begins with the version tag and ends with an all mechanism:
v=spf1 [mechanisms...] [qualifier]allThere must be exactly one TXT record beginning with "v=spf1" per domain. Two SPF records is a permerror and breaks authentication entirely.
Mechanism & Qualifier Reference
Each mechanism can carry a qualifier prefix. The default qualifier is + (pass) when none is written. These are the mechanisms and qualifiers you will actually use:
| Mechanism | Purpose | DNS lookup? |
|---|---|---|
| ip4: | Authorize an IPv4 address or CIDR range | no |
| ip6: | Authorize an IPv6 address or CIDR range | no |
| a | Authorize the domain's A/AAAA records | yes (1) |
| mx | Authorize the domain's MX host IPs | yes (1 + 1 per MX) |
| include: | Import another domain's SPF policy | yes (1 + nested) |
| exists: | Pass if a lookup resolves (rare) | yes (1) |
| redirect= | Replace policy with another domain's | yes (1 + nested) |
| all | Match everything (always last) | no |
| Qualifier | Result | Meaning |
|---|---|---|
| + | pass | Authorized (default if omitted) |
| ~ | softfail | Probably not authorized, accept but mark |
| - | fail | Not authorized, reject |
| ? | neutral | No assertion |
Real Example SPF Records
Copy-paste examples for common providers. Replace IPs and includes with your own senders:
# Google Workspace only
v=spf1 include:_spf.google.com ~all
# Microsoft 365 only
v=spf1 include:spf.protection.outlook.com ~all
# Google Workspace + a transactional ESP
v=spf1 include:_spf.google.com include:sendgrid.net ~all
# Own mail server (single IP) + Google Workspace
v=spf1 ip4:203.0.113.10 include:_spf.google.com ~all
# Own /24 range + Mailgun, strict reject
v=spf1 ip4:203.0.113.0/24 include:mailgun.org -allChoosing the all Qualifier
The trailing all mechanism is the catch-all for any IP that did not match an earlier mechanism. It is the single most consequential choice in your record:
• ~all (softfail) — receivers accept the message but treat it as suspicious. This is the correct starting point: it lets DMARC observe failures without bouncing legitimate mail you may have forgotten to list. • -all (hardfail) — receivers reject unauthorized mail outright. Move here only after DMARC aggregate reports confirm every legitimate sender is covered. • ?all (neutral) — makes no assertion; offers no spoofing protection. Avoid except during early diagnostics. • +all (pass) — authorizes the entire internet to send as your domain. This is never correct and actively harmful.
Never publish +all. It tells every receiving server that any IP is a legitimate sender for your domain, defeating SPF entirely and enabling spoofing.
How to Add Your SPF Record
1. Inventory every system that sends mail using your domain: your mailbox provider (Google Workspace, Microsoft 365), transactional/marketing platforms (SendGrid, Mailgun, Mailchimp), helpdesk and CRM tools, and any on-premise mail server. 2. Build a single record that authorizes all of them, preferring ip4:/ip6: for servers you control and include: for managed providers. 3. In your DNS provider, add a TXT record: - Name/Host: @ (or the bare domain / blank, per your provider's convention) - Type: TXT - Value: your full v=spf1 ... ~all string - TTL: 3600 4. Save and allow time for propagation, then confirm with a checker.
A domain may publish only ONE SPF record. Multiple email providers must be combined into a single record with multiple include: statements — never two separate v=spf1 records.
The 10 DNS Lookup Limit
SPF allows a maximum of 10 DNS lookups during evaluation (RFC 7208 §4.6.4). The mechanisms include:, a, mx, exists:, and redirect= each consume lookups, and include:/redirect= also count every lookup performed inside the referenced policy recursively. Exceed 10 and the result is permerror — which DMARC treats as an SPF failure, silently breaking authentication.
Counting rules: • include: = 1 lookup + all lookups inside that policy (a single provider include can hide 3–5 nested lookups) • a = 1 lookup • mx = 1 lookup, plus 1 per returned MX host that must be resolved • ip4: and ip6: = 0 lookups
The practical fix is to replace include: chains with the underlying ip4:/ip6: ranges (SPF "flattening") for senders whose IP space is stable, and to remove includes for services you no longer use.
Use ip4: and ip6: wherever the sender publishes stable IP ranges — they cost zero lookups and are the primary way to stay under the limit.
Verify and Next Step
After publishing, confirm the record resolves, parses, and stays within the lookup limit before tightening the policy. Verify it with our free SPF Checker, which counts your DNS lookups and flattens the include graph, and build or edit your record with the SPF Record Generator.
Once SPF passes and aligns, the next layer is DKIM — a cryptographic signature that survives forwarding and gives DMARC a second, independent way to pass.
SPF alone does not protect the visible From: address. Pair it with DKIM and a DMARC policy for real anti-spoofing protection.
Common Pitfalls to Avoid
- Multiple SPF records
You can only have ONE SPF record per domain. Combine all senders into a single record.
- Exceeding 10 DNS lookups
Each include: adds lookups. Use ip4: and ip6: when possible to stay under the limit.
- Using +all qualifier
This allows anyone to send as your domain. Always use ~all or -all.
- Forgetting subdomains
SPF records are not inherited. Add separate records for subdomains that send email.
Related tools & guides
Frequently asked questions
What is SPF and why do I need it?
SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. Without SPF, anyone can send emails pretending to be from your domain (email spoofing), leading to phishing attacks and damaging your domain reputation.
How do I create an SPF record?
Create a TXT record in your DNS with the format: v=spf1 [mechanisms] [qualifier]all. For example, for Google Workspace: v=spf1 include:_spf.google.com ~all. Add this record at your DNS provider with the host/name set to @ or your root domain.
What does ~all vs -all mean in SPF?
~all (softfail) marks emails from unauthorized servers as suspicious but accepts them, while -all (hardfail) completely rejects unauthorized emails. Start with ~all to monitor, then move to -all once you confirm all legitimate senders are included.
What is the SPF 10 DNS lookup limit?
SPF has a maximum of 10 DNS lookups. Each include:, a, and mx mechanism counts toward this limit. Exceeding it causes SPF to fail silently. Use ip4: and ip6: instead of include: where possible, as they do not count toward the limit.