How to Set Up SPF Records: Step-by-Step Guide
A practical guide to creating and configuring SPF records for your domain. Covers syntax, setup for Google Workspace and Microsoft 365, common errors, and testing.
Domain Security Scanner
What is SPF?
SPF (Sender Policy Framework) is a DNS-based email authentication protocol that lets you specify which mail servers are authorized to send email on behalf of your domain. It works by publishing a TXT record in your domain's DNS that lists the IP addresses and hostnames allowed to send email as your domain.
When a receiving mail server gets a message from your domain, it checks the sending server's IP against your SPF record. If the IP is listed, SPF passes. If it's not, SPF fails, and depending on your DMARC policy, the message may be flagged, quarantined, or rejected.
SPF is one of the three pillars of email authentication, alongside DKIM and DMARC. Setting it up correctly is essential for email deliverability and protecting your domain from spoofing.
SPF Record Syntax Explained
An SPF record is a single TXT record published at your domain's root. Here's the anatomy of a typical record:
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:spf.protection.outlook.com ~allLet's break down each part:
Version Tag
v=spf1: Required. Identifies this as an SPF record. Must be the first element.
Mechanisms
| Mechanism | Description | Example |
|---|---|---|
ip4: | Authorize an IPv4 address or CIDR range | ip4:203.0.113.5 |
ip6: | Authorize an IPv6 address or range | ip6:2001:db8::/32 |
include: | Include another domain's SPF record | include:_spf.google.com |
a | Authorize the domain's A record IP(s) | a |
mx | Authorize the domain's MX record IP(s) | mx |
exists: | Pass if the specified domain resolves | exists:%{i}._spf.example.com |
redirect= | Use another domain's SPF record entirely | redirect=_spf.example.com |
Qualifiers
| Qualifier | Meaning | Usage |
|---|---|---|
+ (Pass) | Authorize. This is the default if no qualifier is specified | +ip4:... |
- (Fail) | Hard fail. Unauthorized senders should be rejected | -all |
~ (SoftFail) | Soft fail. Unauthorized, but don't outright reject | ~all |
? (Neutral) | No assertion. Treat as if there's no SPF | ?all |
The "all" Mechanism
The all mechanism at the end of your record is the catch-all. It tells receivers what to do with senders not explicitly listed. Best practice is -all (hard fail) if you're confident you've listed everything, or ~all (soft fail) as a safer default during initial setup.
Setting Up SPF for Google Workspace
If Google Workspace is your only email sender, your SPF record is straightforward:
v=spf1 include:_spf.google.com ~allTo add this record:
- Log in to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
- Navigate to DNS management for your domain
- Add a new TXT record:
- Host/Name:
@(represents your root domain) - Type: TXT
- Value:
v=spf1 include:_spf.google.com ~all - TTL: 3600 (or leave default)
- Host/Name:
- Save and wait for DNS propagation (up to 48 hours, usually much faster)
If you also use other services (a marketing platform, a CRM, etc.), add their include before the ~all:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
The example above adds Mailchimp (servers.mcsv.net) alongside Google Workspace.
Setting Up SPF for Microsoft 365
Scan Your Domain
Check your SPF, DKIM, DMARC, SSL, DNSSEC, and security headers in seconds. Free, instant results with actionable recommendations.
For Microsoft 365 (Exchange Online), the SPF record is:
v=spf1 include:spf.protection.outlook.com ~allThe setup process is the same as above: add a TXT record at your domain root. If you're using both Microsoft 365 and other services:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~allSPF Include Values for Common Providers
Here's a quick reference for popular email services:
| Provider | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Amazon SES | include:amazonses.com |
| HubSpot | include:spf.hubspot.com (verify in your portal) |
| Zendesk | include:mail.zendesk.com |
| Postmark | include:spf.mtasv.net |
| Freshdesk | include:email.freshdesk.com |
Common SPF Errors and How to Fix Them
Too Many DNS Lookups (PermError)
This is the single most common SPF problem. The SPF specification limits you to 10 DNS lookups total. Each include:, a, mx, redirect=, and exists: mechanism counts as a lookup. Nested includes inside included records also count.
If your record exceeds 10 lookups, SPF returns a PermError and is treated as failing, meaning all your email could fail authentication.
How to fix it:
- Replace
include:mechanisms with directip4:addresses where possible (IP addresses don't count as lookups) - Remove services you no longer use
- Use SPF flattening tools that resolve includes down to IP addresses
- Consider using subdomains for different services (e.g.,
marketing.yourdomain.comfor Mailchimp)
Use our SPF checker to see exactly how many lookups your record uses.
Multiple SPF Records
You can only have one SPF record per domain. If you have two TXT records both starting with v=spf1, SPF will fail with a PermError. This commonly happens when you add a new provider's SPF record without merging it into your existing one.
Wrong:
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~allCorrect:
v=spf1 include:_spf.google.com include:sendgrid.net ~allUsing +all
Never use +all. This tells the world that every server is authorized to send email as your domain, completely defeating the purpose of SPF. Always use ~all or -all.
Forgetting Third-Party Senders
If your CRM, helpdesk, or invoicing system sends email from your domain and isn't included in SPF, those emails will fail authentication. Before setting SPF to -all, make sure you've audited all services that send email on your behalf.
Testing Your SPF Record
After creating or modifying your SPF record, verify it:
- Check syntax and lookups: Use our SPF checker tool to validate your record, count DNS lookups, and identify issues.
- Verify DNS propagation: SPF records can take up to 48 hours to propagate, though most providers update within minutes. You can check propagation using:
dig TXT yourdomain.com +short | grep spf - Send test emails: Send an email to a Gmail or Outlook account and check the message headers. Look for
spf=passin theAuthentication-Resultsheader. - Run a full domain scan: Use our domain security scanner to check SPF alongside DKIM, DMARC, and other security records in one go.
Once SPF is verified, the next step is setting up DKIM and DMARC to complete your email authentication stack.