How to Create an SPF Record
Step-by-step guide to creating an SPF record for your domain. Learn SPF syntax, common includes for popular email services, and how to add the record to your DNS.
If your domain sends email, it needs an SPF record. Without one, mailbox providers like Gmail and Outlook have no way to verify that your messages are legitimate. The result: your emails are more likely to land in spam, and anyone can send email pretending to be you.
The good news is that creating an SPF record takes about ten minutes, even if you've never touched DNS before. This guide walks you through it from start to finish.
What an SPF Record Looks Like
An SPF record is a single line of text that you add to your domain's DNS as a TXT record. Here's a typical example:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Every SPF record follows the same basic structure: it starts with v=spf1, lists the servers allowed to send email for your domain, and ends with an all mechanism that tells receiving servers what to do with everything else.
Let's break down each piece before you build yours.
Understanding SPF Syntax
SPF records are made up of mechanisms and qualifiers. You don't need to memorize every option, but understanding the basics will help you build a record that actually works.
The Version Tag
Every SPF record starts with v=spf1. This tells receiving mail servers that they're looking at an SPF record. There's only one version, so this never changes.
Mechanisms
Mechanisms define which servers are authorized to send email for your domain. Here are the ones you'll use most:
include:-- Authorizes another domain's SPF record. This is how you add third-party services like Google Workspace or Mailchimp.ip4:-- Authorizes a specific IPv4 address or range. Use this for your own mail server.ip6:-- Same asip4, but for IPv6 addresses.mx-- Authorizes whatever servers your domain's MX records point to. Useful if your incoming and outgoing mail use the same server.a-- Authorizes the IP address your domain's A record points to.
The All Mechanism
The all mechanism goes at the end and handles everything that didn't match the mechanisms above. It uses a qualifier to define the behavior:
-all(hard fail) -- Reject anything not authorized. This is the strongest setting.~all(soft fail) -- Flag unauthorized senders but don't outright reject them. Good while you're still testing.?all(neutral) -- No opinion. Essentially useless.
Start with soft fail
If you're setting up SPF for the first time, use ~all until you've confirmed all your sending services are included. Once everything checks out, switch to -all for full protection.
Common Include Values for Popular Services
Most email services publish an SPF include value in their documentation. Here are the ones you'll see most often:
| Service | Include Value |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp (Transactional) | include:servers.mcsv.net |
| SendGrid | include:sendgrid.net |
| Amazon SES | include:amazonses.com |
| Mailgun | include:mailgun.org |
| Postmark | include:spf.mtasv.net |
| Zoho Mail | include:zoho.com |
| HubSpot | include:spf.hubspot.com |
If you use more than one service, you list all of their includes in a single SPF record. For example, a business using Google Workspace and Mailchimp would use:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
You can only have one SPF record per domain. If you add a second TXT record starting with v=spf1, both records will fail. Always combine your services into a single record.
Check your email deliverability
Make sure your SPF, DKIM, and DMARC records are all working together to protect your domain.
Step-by-Step: Building and Publishing Your SPF Record
List every service that sends email for your domain
Think beyond your main inbox. Include your CRM, marketing platform, helpdesk, invoicing tool, and anything else that sends email as your domain. If you're not sure, check each tool's settings for outbound email or SMTP configuration.
Look up the SPF include for each service
Check each provider's documentation for their SPF include value. The table above covers the most popular ones. If a service isn't listed, search their help docs for "SPF" or "email authentication."
Assemble your SPF record
Start with v=spf1, add each include, add any direct IP addresses for your own servers, and end with -all (or ~all while testing). Keep it on one line with spaces between each mechanism.
Add the TXT record to your DNS
Log in to your DNS provider (this might be your domain registrar like Namecheap or GoDaddy, or a service like Cloudflare). Create a new TXT record with the host/name set to @ (which represents your root domain) and paste your SPF record as the value. Save and wait for DNS propagation -- this usually takes a few minutes but can take up to 48 hours.
Verify your new record
After adding the record, check that it's live and valid. Use SPF Record Check to look up your domain and confirm the record is published correctly, has no syntax errors, and stays under the 10 DNS lookup limit.
A Note on DNS Providers
The exact steps for adding a TXT record vary by provider, but the fields are always the same: record type (TXT), host or name (@ for root domain), and value (your SPF record). If your provider asks for a TTL, 3600 (one hour) is a safe default.
Testing Your SPF Record
Publishing the record is only half the job. You should verify that it's actually working.
Send a test email from each service listed in your SPF record and check the email headers on the receiving end. Look for the Authentication-Results header -- it should show spf=pass. If any service shows spf=fail or spf=softfail, double-check that the correct include is in your record.
You can also use SPF Record Check to validate your record at any time. It will flag syntax errors, missing mechanisms, and lookup limit issues.
What to Do Next
SPF is one of three email authentication protocols that work together. Once your SPF record is live, the next steps are:
- Set up DKIM -- DKIM adds a cryptographic signature to your emails, proving they haven't been altered in transit. Use DKIM Creator to generate your DKIM keys.
- Set up DMARC -- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.
Together, SPF, DKIM, and DMARC give your domain the strongest possible email authentication. Most mailbox providers expect all three before they fully trust your messages.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring