SPF Setup Guide
Learn how to configure SPF records to authorize legitimate email senders and prevent spoofing.
What is SPF?
SPF (Sender Policy Framework) is a DNS-based email authentication method that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. When an email is received, the receiving server checks the SPF record to verify that the sending server is authorized.
SPF Record Syntax
An SPF record is a TXT record published at your domain. Here is an example of a complete SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.168.1.1 -all| Mechanism | Description | Example |
|---|---|---|
| ip4 | Authorize IPv4 addresses | ip4:192.168.1.1 |
| ip6 | Authorize IPv6 addresses | ip6:2001:db8::1 |
| a | Authorize domain's A record IPs | a:mail.example.com |
| mx | Authorize domain's MX record IPs | mx |
| include | Include another domain's SPF | include:_spf.google.com |
| all | Match all (used at end) | -all |
SPF Qualifiers
Each mechanism can be prefixed with a qualifier that determines what action to take when matched:
+Pass
Allow the email (default if no qualifier)
-Fail
Reject the email (hard fail)
~SoftFail
Accept but mark as suspicious
?Neutral
No assertion about authorization
Common Email Providers
Here are the SPF include statements for popular email providers:
| Provider | SPF Include |
|---|---|
Google Workspace | include:_spf.google.com |
Microsoft 365 | include:spf.protection.outlook.com |
Amazon SES | include:amazonses.com |
Mailchimp | include:servers.mcsv.net |
SendGrid | include:sendgrid.net |
Mailgun | include:mailgun.org |
Step-by-Step Setup
Identify all sending sources
List all services that send email on your behalf (your mail server, marketing tools, CRM, etc.).
Gather SPF includes
Get the SPF include statement from each provider. Check their documentation or support.
Build your SPF record
Combine all includes into a single record starting with v=spf1 and ending with -all.
Publish to DNS
Add the TXT record to your domain's DNS. The record goes at your root domain (not a subdomain).
Test and verify
Use SPF validation tools to verify your record is correct and all senders are authorized.
SPF Lookup Limit
SPF records are limited to 10 DNS lookups. Each include, a, mx, and redirect mechanism counts as one lookup. Nested includes also count toward this limit.
- Use
ip4andip6when possible (no lookup required) - Consider SPF flattening services for complex setups
Best Practices
- Always end your SPF record with
-allfor strict enforcement - Have only one SPF record per domain (multiple records will fail)
- Keep the record under 255 characters if possible
- Review and update your SPF record when adding new email services