Guide
SPF records, explained — and how to set one up
SPF lists the servers allowed to send email as your domain. Get it right and your mail stays out of spam; get it wrong and it can make things worse.
Check your SPF record →What it is
SPF (Sender Policy Framework) is a single TXT record on your domain that lists every server and service allowed to send email as you. When a receiving server gets a message, it checks the sending server against your SPF record.
It's read left to right, and the qualifier on the final all mechanism decides what happens to any server not on the list.
Why it matters
SPF stops other people sending mail from your domain via unauthorised servers, and it's one of the two things DMARC checks for alignment.
A missing, broken, or overly-permissive SPF record is one of the most common reasons legitimate email lands in spam.
How to set it up
- 1List every service that sends mail as your domain — your mailbox provider (Google, Microsoft 365), plus any ESP, CRM, invoicing or helpdesk tool.
- 2Combine them into a single record using include: for each provider's SPF (they publish the value to use).
- 3End the record with -all to reject everything else (recommended), or ~all for a softer softfail while you test.
- 4Keep it within 10 DNS lookups — flatten or consolidate includes if you exceed it, or the record fails.
Record structure & options
One TXT record listing every server allowed to send mail as your domain. It's read left-to-right; the qualifier on 'all' decides what happens to everything not listed.
v=spf1 include:_spf.google.com ip4:198.51.100.10 -all
- v=spf1
- Version — always first, required.
- include:
- Authorise another domain's SPF (e.g. your email provider: _spf.google.com).
- a / mx
- Authorise the domain's own A record or MX mail hosts.
- ip4: / ip6:
- Authorise specific IP addresses or ranges.
- -all
- Fail — reject everything else (strictest, recommended).
- ~all
- Softfail — accept but mark as suspicious.
- ?all / +all
- Neutral / pass-everything — avoid (+all authorises the world).
- redirect=
- Hand the whole SPF decision to another domain's record.
Only one SPF record per domain, and it must resolve in ≤10 DNS lookups — too many 'include's will break it.
Common problems
- What does "too many DNS lookups" mean?
- SPF is limited to 10 nested DNS lookups. Each include, a, mx and redirect counts. Go over and receivers return a permerror and ignore your SPF — consolidate providers or use an SPF-flattening service.
- Can I have two SPF records?
- No — a domain must have exactly one SPF (v=spf1) TXT record. Two records is an automatic failure; merge them into one.
- Should I use -all or ~all?
- -all (hard fail) is the goal and what DMARC enforcement expects. Use ~all (softfail) only briefly while confirming you've listed every legitimate sender.
Check it — then keep it healthy
Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.