SPF (Sender Policy Framework) Setup Guide

Configure SPF records to authorize mail servers for your domain and improve email deliverability.

What is SPF?

SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a receiving server gets an email, it checks the SPF record to verify the sender is legitimate.

Without SPF, anyone can send emails claiming to be from your domain, leading to:

  • Email spoofing and phishing attacks
  • Poor deliverability and spam folder placement
  • Damage to your domain's reputation
  • Rejection by Gmail, Outlook, and other major providers

How SPF Works

Step 1: Email Sent

Your mail server sends an email claiming to be from your domain

Step 2: SPF Lookup

Receiving server checks your domain's SPF record in DNS

Step 3: Verification

Server verifies if sending IP is authorized in your SPF record

Step 4: Pass or Fail

Email passes SPF check if authorized, fails if not

Creating Your SPF Record

An SPF record is a TXT record in your DNS with this basic format:

v=spf1 include:_spf.google.com ~all

Let's break down each part:

  • v=spf1 - Version identifier (always required)
  • include:_spf.google.com - Authorize Google's mail servers
  • ~all - Soft fail for unauthorized servers (recommended to start)

Common SPF Mechanisms

ip4:192.0.2.0

Authorize a specific IPv4 address

a

Authorize the domain's A record IP address

mx

Authorize all MX record servers

include:domain.com

Include another domain's SPF record

The 10 DNS Lookup Limit

SPF has a critical limitation: maximum 10 DNS lookups. Exceeding this causes a PermError and SPF failure.

Each of these counts as a lookup:

  • include: mechanisms
  • a and mx mechanisms
  • redirect= modifier

Use our SPF Checker to count your lookups and get flattening recommendations.

SPF Policy Tags

The "all" mechanism at the end defines what happens to unauthorized senders:

~all (SoftFail)

Mark as suspicious but accept (recommended for testing)

-all (Fail)

Reject unauthorized emails (strictest, use after testing)

?all (Neutral)

No explicit policy (not recommended)

Step-by-Step Setup

1. Identify Your Mail Servers

List all services that send email for your domain:

  • Google Workspace / Gmail
  • Microsoft 365 / Outlook
  • Marketing platforms (Mailchimp, SendGrid, etc.)
  • Transactional email services
  • Your own mail servers

2. Build Your SPF Record

Example for Google Workspace + SendGrid:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

3. Add to DNS

Create a TXT record in your DNS with:

  • Host/Name: @ (or your domain name)
  • Type: TXT
  • Value: Your SPF record
  • TTL: 3600 (1 hour)

4. Verify & Test

Wait 10-60 minutes for DNS propagation, then use our SPF Checker to validate your record.

Next Steps

Now that SPF is configured, complete your authentication setup:

DKIM Setup →DMARC Setup →