SPF Record: Complete Setup Guide

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. When someone receives an email from your domain, their mail server checks your SPF record to verify that the sending server is on your approved list.

Without SPF, anyone can send email claiming to be from your domain — a technique used by spammers and phishers. SPF is one of three core authentication standards (alongside DKIM and DMARC) that inbox providers use to decide whether to trust your emails.

• SPF alone is not enough — you need DKIM and DMARC too.
• SPF is checked based on the 'envelope from' address, not the visible 'From' header.
• SPF must be set up on every domain you send email from — including subdomains used for outreach.

How SPF works

When your email arrives at the recipient's server, it performs a DNS lookup on your sending domain and retrieves your SPF record. It then checks whether the IP address that sent the email is listed in that record. If yes — pass. If no — fail (or softfail). The result is recorded and used as one input into the spam filter decision.

The check happens on the 'envelope from' address (the return-path domain), which is often different from the visible 'From' address in email clients. This distinction matters when using third-party sending services like Google Workspace, Zoho, or custom SMTP providers.

SPF record syntax explained

An SPF record is a DNS TXT record starting with 'v=spf1'. It lists authorised senders using mechanisms like 'ip4' (specific IP), 'include' (reference another domain's SPF), and 'a' (the domain's A record). It ends with an 'all' qualifier that specifies what to do with mail not matching the list.

• Always use ~all (tilde) not -all (hyphen) to start — hard fail can cause legitimate emails to be rejected.
• Keep the record under 10 DNS lookups — exceeding this causes SPF to fail (permerror).
• One SPF record per domain — multiple TXT records with v=spf1 cause failures.

Basic SPF record for Google Workspace: v=spf1 include:_spf.google.com ~all

SPF for Google Workspace + custom SMTP: v=spf1 include:_spf.google.com ip4:203.0.113.50 ~all

SPF for Zoho Mail: v=spf1 include:zoho.in ~all

All qualifiers: +all → pass (accept all — dangerous, don't use) -all → hard fail (reject if not listed) ~all → soft fail (mark as suspicious) ← recommended ?all → neutral (no recommendation)

Step-by-step SPF setup

Step 1: Identify every service that sends email from your domain (Google Workspace, Zoho, your ESP, custom SMTP). Step 2: Find the 'include' mechanism for each service — usually in their documentation. Step 3: Combine all includes into a single TXT record. Step 4: Add the TXT record to your domain's DNS (via your domain registrar: GoDaddy, Namecheap, Cloudflare, etc.). Step 5: Wait 5–30 minutes for DNS propagation. Step 6: Validate using MXToolbox or Google Admin Toolbox.

• DNS propagation can take up to 24–48 hours globally, but usually takes under 30 minutes.
• If you're on Cloudflare, proxy status for TXT records should be 'DNS only' (grey cloud), not proxied.
• Test your SPF before sending campaigns using MXToolbox SPF checker (mxtoolbox.com/spf.aspx).

Common SPF errors and fixes

Too many DNS lookups (permerror): Each 'include' directive triggers a DNS lookup. SPF limits you to 10. Flatten your SPF record by replacing 'include' directives with the actual IP ranges they resolve to — use a tool like SPF Flattener or dmarcian.com.

Multiple SPF records: If you have two TXT records starting with 'v=spf1' on the same domain, SPF will fail entirely. Merge them into one record.

Sending from a subdomain: SPF records don't automatically cover subdomains. If you send from mail.yourdomain.com, that subdomain needs its own SPF record.

• Use dmarcian.com/spf-survey or mxtoolbox.com to diagnose SPF errors.
• If you see 'permerror' — you've exceeded 10 DNS lookups. Flatten the record.
• Re-check your SPF whenever you add a new email sending service.