How to Create an SPF Record: Step-by-Step Guide

Email Authentication Setup Guide

An SPF record tells email servers which IP addresses and services are allowed to send email for your domain. This guide walks through creating an SPF record from scratch, including syntax, common services, and avoiding pitfalls.

Need a refresher on what SPF is? Read our SPF explained guide first.

SPF Record Basics

An SPF record is a TXT record published at your domain's root. It contains:

  • Version declaration (v=spf1)
  • Mechanisms listing authorized senders
  • A default policy for unlisted senders (all)

Example: v=spf1 include:_spf.google.com -all

Step 1: Inventory Your Email Sources

Before creating your SPF record, list every service that sends email for your domain:

Common Email Sources

  • Primary email provider: Google Workspace, Microsoft 365, etc.
  • Marketing platforms: Mailchimp, HubSpot, Klaviyo, Constant Contact
  • Transactional email: SendGrid, Mailgun, Amazon SES, Postmark
  • CRM systems: Salesforce, HubSpot, Zoho
  • Support/helpdesk: Zendesk, Freshdesk, Intercom
  • Web applications: Custom apps sending notifications
  • E-commerce platforms: Shopify, WooCommerce (if sending from your domain)

Step 2: Gather SPF Include Statements

Each email service provides their SPF include. Here are common ones:

Service SPF Include
Google Workspace include:_spf.google.com
Microsoft 365 include:spf.protection.outlook.com
Mailchimp include:servers.mcsv.net
SendGrid include:sendgrid.net
Mailgun include:mailgun.org
Amazon SES include:amazonses.com
HubSpot include:spf.hubspot.com
Zendesk include:mail.zendesk.com
Salesforce include:_spf.salesforce.com
Shopify include:shops.shopify.com
Klaviyo include:_spf.klaviyo.com
Freshdesk include:email.freshdesk.com

Always verify: Check your service's documentation for current SPF include, as these can change.

Step 3: Build Your SPF Record

Basic Structure

v=spf1 [mechanisms] [all]

Example Records

Google Workspace only:

v=spf1 include:_spf.google.com ~all

Microsoft 365 only:

v=spf1 include:spf.protection.outlook.com ~all

Google Workspace + Mailchimp:

v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

Multiple services:

v=spf1 include:_spf.google.com include:sendgrid.net include:spf.hubspot.com ~all

With specific IP addresses:

v=spf1 ip4:192.168.1.1 include:_spf.google.com ~all

Step 4: Add the DNS Record

  1. Log into your DNS provider
  2. Navigate to DNS management for your domain
  3. Look for existing SPF/TXT records
  4. If an SPF record exists, modify it (don't create a second one)
  5. If not, create a new TXT record
  6. Set host/name to @ or blank (represents root domain)
  7. Set value to your SPF record string
  8. Save

Critical: You can only have ONE SPF record per domain. Multiple records cause failures.

Step 5: Verify Your Record

Command Line

dig TXT yourdomain.com

or

nslookup -type=TXT yourdomain.com

Online Tools

  • MxToolbox SPF Lookup
  • SPF Record Check at spf-record.com
  • EasyDMARC SPF Checker

Verify:

  • Record is found
  • Syntax is valid
  • DNS lookup count is under 10

Understanding SPF Mechanisms

Include

include:domain.com – Authorizes senders listed in another domain's SPF

Each include counts as 1+ DNS lookups

IP4 and IP6

ip4:192.168.1.1 – Authorizes a specific IPv4 address

ip4:192.168.1.0/24 – Authorizes an IP range

ip6:2001:db8::/32 – Authorizes IPv6

IP mechanisms don't count as DNS lookups

A and MX

a – Authorizes servers in your domain's A record

mx – Authorizes servers in your domain's MX record

Each counts as 1 DNS lookup

All

Must be last. Sets policy for senders not explicitly listed:

  • -all – Hard fail (reject)
  • ~all – Soft fail (mark as suspicious)
  • ?all – Neutral (no statement)
  • +all – Pass all (never use this!)

The 10 DNS Lookup Limit

SPF has a strict limit of 10 DNS lookups. Exceeding this causes permanent errors.

What Counts

  • Each include: = 1 lookup + nested lookups
  • Each a mechanism = 1 lookup
  • Each mx mechanism = 1 lookup
  • redirect= modifier = lookups in target

What Doesn't Count

  • ip4: mechanisms
  • ip6: mechanisms
  • all mechanism

Checking Your Lookup Count

Use an SPF checker tool that shows total lookups. If over 10, you need to:

  • Remove unused services
  • Use IP addresses instead of includes where possible
  • Consider SPF flattening
  • Use subdomains for different sending purposes

Softfail (~all) vs Hardfail (-all)

Start with Softfail

~all marks unauthorized senders as suspicious but doesn't outright reject. Use this:

  • When first setting up SPF
  • If not 100% sure all senders are listed
  • During transitions

Move to Hardfail

-all instructs receivers to reject unauthorized senders. Use once:

  • You've confirmed all legitimate senders are included
  • You've monitored for a period with no issues
  • DMARC reports show clean authentication

Common Mistakes

Multiple SPF Records

Wrong: Creating two TXT records with v=spf1

Right: One record combining all includes

Exceeding 10 Lookups

Too many includes break SPF. Count and optimize.

Missing Services

Forgetting a legitimate sender causes their emails to fail SPF.

Using +all

Never use +all – it authorizes everyone.

Wrong Record Location

SPF goes at your domain root, not a subdomain (unless intentionally using subdomains for different senders).

Testing Your SPF Record

  1. Send email from each service to a test address
  2. Check email headers for SPF results
  3. In Gmail: "Show original" → look for spf=pass
  4. Use mail-tester.com for comprehensive testing

Maintaining Your SPF Record

  • Review quarterly: Check if services have been added or removed
  • Monitor DMARC reports: They show SPF pass/fail for your domain
  • Update when adding services: New email tools need to be included
  • Remove old services: Don't leave unused includes cluttering your record

Next Steps

With SPF configured:

  1. Set up DKIM for each email service
  2. Implement DMARC for policy enforcement
  3. Monitor reports to catch issues early

For complete guidance, see our Email Authentication Complete Guide.

📋 Need a printable guide? Get our Email Authentication Checklist to track your implementation progress. Download PDF →

0 comments

Leave a comment

Please note, comments need to be approved before they are published.