Documentation

What is SPF and how to configure it

What is SPF?

Sender Policy Framework (SPF) is a DNS record that tells the world which mail servers are allowed to send email on behalf of your domain. When a receiving mail server gets an email claiming to come from @yourdomain.com, it looks up your SPF record and checks whether the sending server is on the approved list.

If the check fails, the receiving server can treat the message as suspicious — potentially marking it as spam or rejecting it entirely. Without SPF, anyone can forge your domain name in the "From" header and send phishing or spam emails that appear to come from you.

What to do

Step 1 — Check if you already have an SPF record

Look up your current DNS TXT records for your domain:

dig TXT yourdomain.com

A valid SPF record starts with v=spf1.

Step 2 — Create or update the record

A basic SPF record for a domain that only sends via Google Workspace looks like this:

v=spf1 include:_spf.google.com ~all

Common include: targets:

Provider Include value
Google Workspace include:_spf.google.com
Microsoft 365 include:spf.protection.outlook.com
SendGrid include:sendgrid.net
Mailchimp include:servers.mcsv.net

The ending qualifier matters:

  • -all — Hard fail. Reject mail from unlisted servers. Recommended once you are confident in your list.
  • ~all — Soft fail. Accept but mark suspicious. Good while testing. Avoid it as soon as possible.
  • ?all — Neutral. No policy applied. Avoid this.
  • +all — Pass all. Never use this — it disables SPF entirely.

Step 3 — Publish the record

Add or update a TXT record on your domain (at the root @ level) with the value above. DNS changes can take up to 48 hours to propagate.

Step 4 — Verify

After propagation, test your record with a tool like MXToolbox SPF checker or by sending a test email to a Gmail address and checking the email headers for Authentication-Results.

Your next ExposureIndex report will show a lower/better score the next time after you've implemented this.

Common mistakes

  • Multiple SPF records — You can only have one SPF TXT record per domain. If you have two, both will be ignored by many servers. Merge them into a single record.
  • Too many DNS lookups — SPF limits you to 10 DNS lookups. If you include many providers, you may exceed this limit. Use a flattening tool if needed.
  • Forgetting subdomains — SPF on your root domain does not protect subdomains used for sending. Add separate SPF records for each sending subdomain.

Last updated: March 28, 2026