How to Set Up an SPF Record: Step-by-Step Guide
SPF (Sender Policy Framework) is a DNS-based email authentication protocol that lets you declare which mail servers are allowed to send email on behalf of your domain. When a receiving server gets a message claiming to be from your domain, it checks your SPF record to verify the sending server is authorized. Without SPF, anyone can forge your From address, and your legitimate emails are far more likely to be flagged as spam.
Already have an SPF record?
Use our free SPF Checker to validate your record and catch syntax errors before they cause delivery problems.
Step 1: Identify All Authorized Senders
Before you write a single line of DNS, list every service that sends email using your domain. This commonly includes your primary email provider (Google Workspace, Microsoft 365, Zoho), marketing platforms (Mailchimp, SendGrid, HubSpot), transactional email services, CRM systems, and helpdesk tools. Missing even one sender means legitimate mail from that service will fail SPF checks.
Step 2: Build Your SPF Record
An SPF record is a DNS TXT record that begins with v=spf1 followed by one or more mechanisms and ends with an all qualifier. Here are the most common mechanisms:
include:domain.com— Authorizes all servers that the specified domain's SPF record authorizes. Used for third-party services.a— Authorizes the IP address(es) that your domain's A record points to.mx— Authorizes the IP addresses of your domain's MX (mail exchange) servers.ip4:203.0.113.5— Authorizes a specific IPv4 address or CIDR range.ip6:2001:db8::/32— Authorizes a specific IPv6 address or CIDR range.
Example for Google Workspace:
v=spf1 include:_spf.google.com ~allExample for Microsoft 365:
v=spf1 include:spf.protection.outlook.com -allExample with multiple services:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -allStep 3: Publish the Record in DNS
- Log in to your DNS provider or domain registrar.
- Navigate to DNS management for your domain.
- Create a new TXT record with the host/name set to
@(or leave it blank, depending on your provider). - Paste your SPF record as the value, for example:
v=spf1 include:_spf.google.com -all - Save the record. DNS propagation usually takes a few minutes but can take up to 48 hours.
Important: you can only have one SPF record per domain. If you already have one, edit it to include your new sending sources rather than creating a second record.
Step 4: Verify Your SPF Record
After publishing, use the Email Armory SPF Checker to confirm your record is syntactically valid, does not exceed the 10-DNS-lookup limit, and includes all the mechanisms you intended. You can also run a TXT Lookup to see the raw DNS response for your domain.
Understanding ~all vs -all
The qualifier at the end of your SPF record controls what happens when a message comes from an unlisted server:
-all(hard fail) — Reject the message. This is the most secure option and recommended once you have verified all senders are listed.~all(soft fail) — Accept but mark the message. Good for the initial testing phase.?all(neutral) — No opinion. Provides no protection and should be avoided.
Start with ~all while you are confirming every service is accounted for, then switch to -all for full enforcement. For even stronger protection, pair SPF with DKIM and DMARC.
Frequently Asked Questions
What happens if I don't have an SPF record?
Without an SPF record, receiving mail servers have no way to verify whether a message was sent from an authorized server. This makes your domain vulnerable to spoofing and significantly increases the chance your legitimate emails land in spam.
Can I have more than one SPF record?
No. The SPF standard requires exactly one SPF TXT record per domain. If you publish multiple SPF records, receiving servers may return a PermError and reject your mail. Merge all your sending sources into a single record.
What is the difference between ~all and -all?
The ~all qualifier (soft fail) tells receivers to accept but flag mail from unauthorized sources. The -all qualifier (hard fail) tells receivers to reject it outright. Start with ~all while testing, then switch to -all once you have confirmed all legitimate senders are listed.