SPF Record Setup Guide
Learn how to create and configure Sender Policy Framework (SPF) records to prevent email spoofing and improve deliverability.
What is SPF?
Sender Policy Framework (SPF) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. When receiving servers get an email claiming to be from your domain, they check your SPF record to verify the sender is legitimate.
Without SPF, anyone can send emails pretending to be from your domain (email spoofing). This leads to phishing attacks and damages your domain's reputation.
Basic SPF Record Structure
An SPF record is a TXT record in your DNS that follows this format:
v=spf1 [mechanisms] [qualifier]allAlways start with "v=spf1" to indicate SPF version 1.
Common SPF Mechanisms
Here are the most commonly used SPF mechanisms:
• **include:** - Authorize another domain's SPF record • **ip4:** - Authorize a specific IPv4 address or range • **ip6:** - Authorize a specific IPv6 address or range • **a** - Authorize your domain's A record IP • **mx** - Authorize your domain's MX servers • **all** - Match all (used at the end)
Example SPF Records
Here are examples for popular email providers:
# Google Workspace
v=spf1 include:_spf.google.com ~all
# Microsoft 365
v=spf1 include:spf.protection.outlook.com ~all
# Custom mail server + Google
v=spf1 ip4:203.0.113.1 include:_spf.google.com ~all
# Multiple providers
v=spf1 include:_spf.google.com include:sendgrid.net ~allUnderstanding Qualifiers
The qualifier at the end determines how to handle emails that don't match:
• **~all** (softfail) - Mark as suspicious but accept (recommended to start) • **-all** (hardfail) - Reject emails that don't match • **?all** (neutral) - No policy (not recommended) • **+all** (pass) - Accept all (defeats the purpose, never use)
Start with ~all and monitor. Move to -all once you confirm all legitimate senders are included.
How to Add Your SPF Record
1. Log into your DNS provider (Cloudflare, GoDaddy, Route 53, etc.) 2. Find the DNS management section 3. Add a new TXT record: - **Name/Host:** @ or leave blank (for root domain) - **Type:** TXT - **Value:** Your SPF record string - **TTL:** 3600 (1 hour) 4. Save and wait for DNS propagation
You can only have ONE SPF record per domain. If you have multiple email providers, combine them in a single record using multiple include: statements.
SPF Lookup Limit
SPF has a 10 DNS lookup limit. Each "include:" and "a", "mx" mechanism counts toward this limit. If you exceed it, SPF fails silently.
Count your lookups: • include: = 1 lookup + that domain's lookups • a = 1 lookup • mx = 1 lookup + 1 per MX server
Use ip4: and ip6: instead of include: where possible, as they don't count toward the limit.