How to Add an SPF Record in Gandi

Gandi is a well-established European domain registrar and hosting provider, popular for its transparent pricing and developer-friendly tools. If your domain is registered with Gandi or you're using their DNS hosting, you'll manage SPF records through their LiveDNS interface -- a modern, straightforward DNS management panel. Gandi may also create a default SPF record if you use their email service, so it's worth checking before you add anything new.

This guide walks you through adding, editing, and verifying SPF records in Gandi.

Why SPF Matters for Gandi Domains

When your domain is managed through Gandi, you need an SPF record to tell receiving mail servers which services are authorized to send email from your domain. Whether you're using Gandi's own email hosting, Google Workspace, Microsoft 365, or a transactional email service like SendGrid, SPF, as defined in RFC 7208, is the first line of defense against spoofing and spam classification.

Without an SPF record, receiving servers have no way to verify that emails from your domain are legitimate. The result is lower deliverability and a higher chance of landing in spam.

Step-by-Step: Adding an SPF Record in Gandi

Log in to Gandi

Go to gandi.net and sign in to your account.

Navigate to your domain's DNS records

From the dashboard, go to Domain in the left sidebar. Click on the domain you want to configure. Then click on DNS Records (see Gandi's DNS documentation for details on using the LiveDNS interface).

Check for existing SPF records

Look through the TXT records for any value starting with v=spf1. If you use Gandi's email service, they may have already created a default SPF record. If one exists, you'll need to edit it rather than creating a new one.

Add a new TXT record

Click Add Record. Set the Type to TXT. In the Name field, enter @ (this represents your root domain). In the Value field, paste your SPF record -- for example: v=spf1 include:_spf.google.com -all. The default TTL is 10800 seconds (3 hours), which is fine. Click Create.

Verify the record is live

Gandi's LiveDNS is generally fast, with changes propagating within a few minutes. Check your record at SPF Record Check to confirm it's published and correctly formatted.

A Note on the Name Field

In Gandi's LiveDNS interface, use @ in the Name field for your root domain's SPF record. Gandi interprets @ as the domain apex (root domain). Don't enter your full domain name -- just @. If you enter a subdomain name, the SPF record will only apply to that subdomain.

Gandi's LiveDNS interface supports a text-based view where you can see and edit your entire DNS zone as a text file. This can be useful for reviewing all your records at once, but for individual record changes, the graphical interface is simpler and less error-prone.

Gandi's Default SPF Record

If you use Gandi's email hosting (included with many domain plans), Gandi may create a default SPF record that authorizes their mail servers. This typically looks like:

v=spf1 include:_mailcust.gandi.net ~all

If you see this and also use other email services, you need to edit this record to include your additional services -- not create a second SPF record. For example, to add Google Workspace:

v=spf1 include:_mailcust.gandi.net include:_spf.google.com -all

If you've stopped using Gandi's email and moved to another provider entirely, replace the default record with one that only includes your current services.

SPF Record Examples for Gandi

Here are ready-to-use SPF records for common setups. Paste these into the Value field.

Google Workspace Only

Use the _spf.google.com include for Google Workspace:

v=spf1 include:_spf.google.com -all

Microsoft 365 Only

Use the spf.protection.outlook.com include for Microsoft 365:

v=spf1 include:spf.protection.outlook.com -all

Gandi Email + Google Workspace

v=spf1 include:_mailcust.gandi.net include:_spf.google.com -all

Google Workspace + Mailchimp

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Microsoft 365 + SendGrid

v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all

Setup	SPF Record	Est. Lookups
Google Workspace	v=spf1 include:_spf.google.com -all	~3
Microsoft 365	v=spf1 include:spf.protection.outlook.com -all	~2
Gandi + Google	v=spf1 include:_mailcust.gandi.net include:_spf.google.com -all	~5
Google + Mailchimp	v=spf1 include:_spf.google.com include:servers.mcsv.net -all	~5
M365 + SendGrid	v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all	~3

SPF records are limited to 10 DNS lookups. Each include adds at least one lookup, and nested includes add more. Use SPF Record Check to count your total lookups and make sure you're within the limit.

Monitor your email authentication

After setting up SPF in Gandi, make sure it keeps working. Get daily checks on SPF, DKIM, and DMARC.

Start Monitoring

Common Gandi SPF Mistakes

Not Checking for Gandi's Default SPF Record

If you use Gandi's email service, they likely created an SPF record already. Adding a second one for Google Workspace or Microsoft 365 creates duplicate SPF records, which causes a permerror that breaks email authentication entirely. Always check the existing TXT records first.

Creating an SPF Record on a Subdomain Instead of Root

If you enter a subdomain name in the Name field instead of @, the SPF record won't protect your main domain. Your primary SPF record should always be on the root domain. Only create subdomain SPF records if you specifically send email from subdomains.

Keeping Gandi's Include After Migrating Away

If you've moved email from Gandi to Google Workspace or Microsoft 365, remove include:_mailcust.gandi.net from your SPF record. Keeping it wastes a DNS lookup and adds unnecessary complexity.

Using the Wrong Qualifier

Pay attention to the all mechanism at the end of your SPF record. -all (hard fail) is recommended for most setups -- it tells receiving servers to reject email from unauthorized sources. ~all (soft fail) is more lenient but provides weaker protection. Gandi's default records sometimes use ~all, which you may want to tighten to -all once you've confirmed your SPF record is correct.

Editing an Existing SPF Record in Gandi

Find your SPF record

Go to Domain > your domain > DNS Records in Gandi's control panel. Look through the TXT records for the one starting with v=spf1.

Edit the record

Click the pencil icon (edit) next to the record. Update the Value field with your new SPF record, keeping v=spf1 at the beginning and your all mechanism at the end.

Save and verify

Click Save. Wait a few minutes for propagation, then verify the record at SPF Record Check.

Back up before editing

Copy your current SPF record before making changes. Gandi also lets you export your entire DNS zone -- consider doing this before major modifications.

Verifying Your SPF Record

After adding or editing your SPF record in Gandi, confirm that it's published correctly.

SPF Record Check -- Go to spfrecordcheck.com and enter your domain. It validates syntax, counts DNS lookups, and flags any issues.
Send a test email -- Send a message from each email service listed in your SPF record and check the headers on the receiving side for spf=pass.
Command line -- Run dig TXT yourdomain.com +short or nslookup -type=TXT yourdomain.com to see the raw TXT records published for your domain.

Complete Your Email Authentication

SPF is the first layer of email authentication. For full protection, you need all three protocols:

DKIM adds a cryptographic signature to your outgoing emails, proving they haven't been tampered with. Use DKIM Creator to generate your DKIM keys and add the records in Gandi's DNS management.
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.

Both DKIM and DMARC records are added as TXT records in Gandi's LiveDNS interface, using the same process as SPF.

Never miss an SPF issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.