An SPF record tells email servers which IP addresses and services are allowed to send email for your domain. This guide walks through creating an SPF record from scratch, including syntax, common services, and avoiding pitfalls.
Need a refresher on what SPF is? Read our SPF explained guide first.
SPF Record Basics
An SPF record is a TXT record published at your domain's root. It contains:
- Version declaration (
v=spf1) - Mechanisms listing authorized senders
- A default policy for unlisted senders (
all)
Example: v=spf1 include:_spf.google.com -all
Step 1: Inventory Your Email Sources
Before creating your SPF record, list every service that sends email for your domain:
Common Email Sources
- Primary email provider: Google Workspace, Microsoft 365, etc.
- Marketing platforms: Mailchimp, HubSpot, Klaviyo, Constant Contact
- Transactional email: SendGrid, Mailgun, Amazon SES, Postmark
- CRM systems: Salesforce, HubSpot, Zoho
- Support/helpdesk: Zendesk, Freshdesk, Intercom
- Web applications: Custom apps sending notifications
- E-commerce platforms: Shopify, WooCommerce (if sending from your domain)
Step 2: Gather SPF Include Statements
Each email service provides their SPF include. Here are common ones:
| Service | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Amazon SES | include:amazonses.com |
| HubSpot | include:spf.hubspot.com |
| Zendesk | include:mail.zendesk.com |
| Salesforce | include:_spf.salesforce.com |
| Shopify | include:shops.shopify.com |
| Klaviyo | include:_spf.klaviyo.com |
| Freshdesk | include:email.freshdesk.com |
Always verify: Check your service's documentation for current SPF include, as these can change.
Step 3: Build Your SPF Record
Basic Structure
v=spf1 [mechanisms] [all]
Example Records
Google Workspace only:
v=spf1 include:_spf.google.com ~all
Microsoft 365 only:
v=spf1 include:spf.protection.outlook.com ~all
Google Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
Multiple services:
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com ~all
With specific IP addresses:
v=spf1 ip4:192.168.1.1 include:_spf.google.com ~all
Step 4: Add the DNS Record
- Log into your DNS provider
- Navigate to DNS management for your domain
- Look for existing SPF/TXT records
- If an SPF record exists, modify it (don't create a second one)
- If not, create a new TXT record
- Set host/name to
@or blank (represents root domain) - Set value to your SPF record string
- Save
Critical: You can only have ONE SPF record per domain. Multiple records cause failures.
Step 5: Verify Your Record
Command Line
dig TXT yourdomain.com
or
nslookup -type=TXT yourdomain.com
Online Tools
- MxToolbox SPF Lookup
- SPF Record Check at spf-record.com
- EasyDMARC SPF Checker
Verify:
- Record is found
- Syntax is valid
- DNS lookup count is under 10
Understanding SPF Mechanisms
Include
include:domain.com – Authorizes senders listed in another domain's SPF
Each include counts as 1+ DNS lookups
IP4 and IP6
ip4:192.168.1.1 – Authorizes a specific IPv4 address
ip4:192.168.1.0/24 – Authorizes an IP range
ip6:2001:db8::/32 – Authorizes IPv6
IP mechanisms don't count as DNS lookups
A and MX
a – Authorizes servers in your domain's A record
mx – Authorizes servers in your domain's MX record
Each counts as 1 DNS lookup
All
Must be last. Sets policy for senders not explicitly listed:
-
-all– Hard fail (reject) -
~all– Soft fail (mark as suspicious) -
?all– Neutral (no statement) -
+all– Pass all (never use this!)
The 10 DNS Lookup Limit
SPF has a strict limit of 10 DNS lookups. Exceeding this causes permanent errors.
What Counts
- Each
include:= 1 lookup + nested lookups - Each
amechanism = 1 lookup - Each
mxmechanism = 1 lookup -
redirect=modifier = lookups in target
What Doesn't Count
-
ip4:mechanisms -
ip6:mechanisms -
allmechanism
Checking Your Lookup Count
Use an SPF checker tool that shows total lookups. If over 10, you need to:
- Remove unused services
- Use IP addresses instead of includes where possible
- Consider SPF flattening
- Use subdomains for different sending purposes
Softfail (~all) vs Hardfail (-all)
Start with Softfail
~all marks unauthorized senders as suspicious but doesn't outright reject. Use this:
- When first setting up SPF
- If not 100% sure all senders are listed
- During transitions
Move to Hardfail
-all instructs receivers to reject unauthorized senders. Use once:
- You've confirmed all legitimate senders are included
- You've monitored for a period with no issues
- DMARC reports show clean authentication
Common Mistakes
Multiple SPF Records
Wrong: Creating two TXT records with v=spf1
Right: One record combining all includes
Exceeding 10 Lookups
Too many includes break SPF. Count and optimize.
Missing Services
Forgetting a legitimate sender causes their emails to fail SPF.
Using +all
Never use +all – it authorizes everyone.
Wrong Record Location
SPF goes at your domain root, not a subdomain (unless intentionally using subdomains for different senders).
Testing Your SPF Record
- Send email from each service to a test address
- Check email headers for SPF results
- In Gmail: "Show original" → look for
spf=pass - Use mail-tester.com for comprehensive testing
Maintaining Your SPF Record
- Review quarterly: Check if services have been added or removed
- Monitor DMARC reports: They show SPF pass/fail for your domain
- Update when adding services: New email tools need to be included
- Remove old services: Don't leave unused includes cluttering your record
Next Steps
With SPF configured:
- Set up DKIM for each email service
- Implement DMARC for policy enforcement
- Monitor reports to catch issues early
For complete guidance, see our Email Authentication Complete Guide.
0 comments