What Is SPF and How to Set It Up

SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is on the approved list. Without SPF, anyone can send email pretending to be from your domain, and ISPs will treat your legitimate emails with suspicion.

How SPF Works

SPF is one of three email authentication protocols (along with DKIM and DMARC) that work together to prove your emails are legitimate. Here is what happens when you send an email:

Your email server sends the message to the recipient's mail server.
The receiving server looks at the domain in the email's envelope sender (the Return-Path header, not the visible From address).
It queries DNS for that domain's SPF record (a TXT record).
If the sending server's IP address matches one of the authorized IPs in the SPF record, the check passes.
If the IP is not listed, the SPF check fails, and the receiving server may reject or spam-filter the email.

How to Set Up SPF

Step 1: Identify all your sending sources.
Make a list of every service that sends email on behalf of your domain. This includes your email marketing platform (SendGrid, Mailgun, Amazon SES, etc.), your web hosting server, your business email provider (Google Workspace, Microsoft 365), and any transactional email services. Missing even one source means those emails will fail SPF.

Step 2: Get the SPF include values from each provider.
Each email provider publishes their SPF include value in their documentation. Common examples: Google Workspace uses include:_spf.google.com, SendGrid uses include:sendgrid.net, Amazon SES uses include:amazonses.com, and Mailgun uses include:mailgun.org. Check your provider's DNS setup documentation for the exact value.

Step 3: Create your SPF TXT record.
Go to your domain's DNS management panel (at your domain registrar or DNS host). Create a new TXT record for your root domain (@) with the SPF value. The format is: v=spf1 followed by your include statements, ending with ~all or -all. For example: v=spf1 include:_spf.google.com include:sendgrid.net ~all

Step 4: Verify the record is working.
Wait for DNS propagation (usually 5-60 minutes, up to 48 hours). Then use a tool like MXToolbox SPF Lookup or Google Admin Toolbox to verify your SPF record resolves correctly and lists all your sending sources.

Step 5: Send a test email and check the headers.
Send an email to a Gmail or Outlook account. Open the full message headers and look for the "Authentication-Results" header. You should see "spf=pass" confirming the check passed.

SPF Record Syntax Explained

A typical SPF record looks like this:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 ~all

v=spf1 - Required version identifier. Must be the first element.
include: - Delegates authorization to another domain's SPF record. This is how you authorize third-party services.
ip4: - Directly authorizes a specific IPv4 address or range (CIDR notation like ip4:203.0.113.0/24).
ip6: - Same as ip4 but for IPv6 addresses.
a - Authorizes the IP address that your domain's A record points to (your web server).
mx - Authorizes the IP addresses of your domain's MX records (your mail servers).
~all (soft fail) - Emails from non-listed servers should be accepted but marked as suspicious. This is the recommended setting while you are still setting up.
-all (hard fail) - Emails from non-listed servers should be rejected outright. Use this once you are confident all sending sources are listed.

Common SPF Mistakes

Too Many DNS Lookups

SPF has a limit of 10 DNS lookups per record. Each "include:" counts as at least one lookup, and nested includes count toward the total. If you exceed 10 lookups, the entire SPF check fails with a "permerror," which is worse than having no SPF at all. If you have many sending services, you may need to use ip4/ip6 addresses directly instead of includes, or use an SPF flattening service.

Multiple SPF Records

You can only have one SPF record per domain. If you create a second TXT record starting with v=spf1, the SPF check will fail because the receiving server does not know which one to use. If you need to add a new service, edit your existing SPF record to include the additional source rather than creating a new record.

Forgetting a Sending Source

If you set up SPF for your marketing platform but forget to include your business email provider (Google Workspace, Microsoft 365), your regular business emails will fail SPF. Audit all email sent from your domain, including transactional systems, CRM platforms, and help desk tools.

Important: SPF alone is not enough for full email authentication. You also need DKIM for message integrity verification and DMARC to tie them together with a policy. See the complete authentication guide for setting up all three.

Get your email authentication right from the start. Set up your sending infrastructure with built-in deliverability tools.

Get Started Free

View the Email Broadcast App