Guide

SPF records, explained — and how to set one up

SPF lists the servers allowed to send email as your domain. Get it right and your mail stays out of spam; get it wrong and it can make things worse.

Check your SPF record

What it is

SPF (Sender Policy Framework) is a single TXT record on your domain that lists every server and service allowed to send email as you. When a receiving server gets a message, it checks the sending server against your SPF record.

It's read left to right, and the qualifier on the final all mechanism decides what happens to any server not on the list.

Why it matters

SPF stops other people sending mail from your domain via unauthorised servers, and it's one of the two things DMARC checks for alignment.

A missing, broken, or overly-permissive SPF record is one of the most common reasons legitimate email lands in spam.

How to set it up

  1. 1List every service that sends mail as your domain — your mailbox provider (Google, Microsoft 365), plus any ESP, CRM, invoicing or helpdesk tool.
  2. 2Combine them into a single record using include: for each provider's SPF (they publish the value to use).
  3. 3End the record with -all to reject everything else (recommended), or ~all for a softer softfail while you test.
  4. 4Keep it within 10 DNS lookups — flatten or consolidate includes if you exceed it, or the record fails.

Record structure & options

One TXT record listing every server allowed to send mail as your domain. It's read left-to-right; the qualifier on 'all' decides what happens to everything not listed.

Where it lives
yourdomain.com · TXT record (on the root/apex)
Example
v=spf1 include:_spf.google.com ip4:198.51.100.10 -all
Options
v=spf1
Version — always first, required.
include:
Authorise another domain's SPF (e.g. your email provider: _spf.google.com).
a / mx
Authorise the domain's own A record or MX mail hosts.
ip4: / ip6:
Authorise specific IP addresses or ranges.
-all
Fail — reject everything else (strictest, recommended).
~all
Softfail — accept but mark as suspicious.
?all / +all
Neutral / pass-everything — avoid (+all authorises the world).
redirect=
Hand the whole SPF decision to another domain's record.

Only one SPF record per domain, and it must resolve in ≤10 DNS lookups — too many 'include's will break it.

Common problems

What does "too many DNS lookups" mean?
SPF is limited to 10 nested DNS lookups. Each include, a, mx and redirect counts. Go over and receivers return a permerror and ignore your SPF — consolidate providers or use an SPF-flattening service.
Can I have two SPF records?
No — a domain must have exactly one SPF (v=spf1) TXT record. Two records is an automatic failure; merge them into one.
Should I use -all or ~all?
-all (hard fail) is the goal and what DMARC enforcement expects. Use ~all (softfail) only briefly while confirming you've listed every legitimate sender.

Check it — then keep it healthy

Run a free scan now, or let DomainHealthPro monitor it continuously and alert you the moment it breaks.

More guides