No SPF record? You’re inviting spam filters to block your emails.

However, setting up SPF can seem rather technical.

That’s why we created this guide. After reading it, you will know:

1. What kind of SPF record you have to set up
2. How to check your domain for an existing SPF record
3. Where and how to set up your SPF record correctly
4. How to validate your SPF record
5. What to do if your SPF record isn’t working

And to make it even easier, we’ll also show you several tools to help you set up SPF faster and with fewer errors.

‍

SPF Record Setup: The Key Steps You Need to Know

Before we continue, you need to know three things:

1. You must add an SPF record to your sending domain’s DNS records
2. You must add your email provider(s) (or the tool(s) you send cold emails with) to your SPF record
3. You cannot have multiple SPF records. Instead, you must add all the email providers to the same SPF record. We’ll show you how to do so later.

With that out of the way, here are the main steps to set up an SPF record:

1. Figure out what kind of SPF record you need to set up
2. Check if your domain has an existing SPF record
3. Set up your SPF record or modify the existing one
4. Validate your SPF record
5. Fix your SPF record if it isn’t working

‍

Let’s go through each step in more detail. The steps below are general and should work with most DNS providers. But if you’re looking for specific instructions tailored to your email or domain provider, we have step-by-step tutorials for:

• How to set up an SPF record for Google Workspace
• How to configure an SPF record for Office 365
• How to set up an SPF record for Zoho Mail
• How to add an SPF record in GoDaddy
• How to set up an SPF record on Cloudflare
• How to add an SPF record in Namecheap
• How to configure an SPF record on OVH
• How to set up SPF on Gandi

‍

Step 1: Figure Out What Kind of SPF Record You Need to Set Up

When setting up SPF, the first question that may come to your mind is:

What should my SPF record look like?

The answer is that it should include the sending servers of the services you use to send emails.

• Using a cold email tool and have connected your Google Workspace/Gmail account to it? You must add Google’s sending servers to the SPF record.
• Using the sending infrastructure of the cold email tool instead? Add their sending servers to your SPF record.
• Using your hosting company’s email servers? Add them to the SPF record.

Sound complicated?

We created an SPF Record Generator to make the process much easier.

Just select the services you use and click on Generate SPF record:

SPF Record Generator

Please select at least one service to generate your SPF record.

Gmail/Google Workspace

Outlook/Office 365

Mailgun

Zoho Mail

Amazon AWS

Sendgrid

Brevo

Porkbun

Generate SPF Record Copy to Clipboard

Your SPF Record:

‍

After using the SPF Record Generator, it's still wise to double-check with your email provider(s).

Here’s a list of official SPF documentation for the providers above:

• Google Workspace
• Office 365
• Mailgun
• Zoho Mail
• Amazon AWS
• Sendgrid
• Brevo
• Porkbun

Your email service not on the list?

Google: “your email service” + SPF record

‍

Step 2: Check for an Existing SPF Record

Having multiple SPF records can cause complications during authentication.

So, the first step to setting up an SPF is checking if there’s one already.

Here’s how you can check for an existing SPF record.

• Step 1: Log in to your domain provider account. If your domain’s nameservers point to a hosting company, you will log in here instead.
• Step 2: Find your domain and click on it
• Step 3: Go to the DNS page or tab. Sometimes, it’s called Advanced DNS or DNS Zone.
• Step 4: Look for TXT records that start with v=spf1. This is your domain’s SPF record. Double-check if there are multiple SPF records.

‍

Step 3: Set Up Your SPF Record or Modify the Existing One

The general steps to set up or modify an SPF record are as follows:

• Step 1: Log in to your domain provider account. If your domain’s nameservers point away from this domain provider, for example, to your hosting provider, then you should log in there.
• Step 2: Find your domain and click on it
• Step 3: Go to the DNS page. This is sometimes called Advanced DNS, DNS Zone, or similar.
• Step 4: If your domain has an existing SPF record, you must edit it and add your email provider(s) there. You do so by only copying the include or ip4/ip6 tags from the record you have to set up.
  • For example, let’s say you have to set up Google’s SPF record, which looks like this: v=spf1 include:_spf.google.com ~all
  • In this case, you copy only the include tag and add it to your existing record:
  • So, if you take “include:_spf.google.com” and add it to an existing SPF record, it will look like this:
  • v=spf1 include:somesendingserver.net include:_spf.google.com ~all
  • Note: SPF has a DNS lookup limit of 10. Ensure to remove unnecessary servers from your record. A single include tag can count as multiple lookups.
• Step 5: If your domain does not have an SPF record, click on Add new record or similar
• Step 6: Make sure your SPF record is a TXT record
• Step 7: Put @ in the Name or Host field to set up the SPF record on your root domain. Some domain providers require you to leave this blank for a root domain SPF record. On other domain providers, you have to put yourdomain.com in the Name field. To set up an SPF record on a subdomain, simply add only the subdomain's prefix. So if subdomain.yourdomain.com is your subdomain, enter “subdomain”.
• Step 8: Paste the SPF record string into the Value field. This field sometimes goes by the name TXT Value, too. Here’s an example SPF record string: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
• Step 9: Leave the TTL to the default or a value between 1800 and 3600. TTL (Time To Live) defines the time in seconds the server should cache your record. A lower value can help propagate your record faster but may slightly increase DNS query load.
• Step 10: Save your record!

‍

Step 4: Validate Your SPF Record

In an ideal world, your SPF record would become active right after clicking the save button.

Unfortunately, that’s not how it works. In the worst cases, it can take up to three days for your SPF record to propagate fully.

Luckily, your record will usually become active in a few hours.

You can use Mailivery’s DNS Status meter to check the status of your record:

Your record will be good to go if the status indicator turns green.

You can try Mailivery for free for 7 days.

Alternatively, you can use a tool like MXToolbox to validate your record.

‍

SPF Errors - What to Do If Your SPF Record Isn’t Working

Waited a couple of days, and your SPF record still isn’t working?

Here are some of the most common SPF errors:

‍

Multiple SPF records

As mentioned earlier, your domain cannot have multiple SPF records.

Return to your domain’s DNS record and double-check that there aren’t multiple TXT records starting with v=spf1.

Found multiple SPF records? Combine them into a single record.

Here’s how:

Let’s say that you found the following two SPF records:

1. v=spf1 include:_spf.google.com ~all
2. v=spf1 include:spf.protection.outlook.com ~all

The simple way to combine them is by taking the includes (or ip4/6 tags if the servers are IP numbers and not a domain) of one record and adding them to the other record.

The combined record should now look like this:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

‍

Too many DNS Lookups

SPF has a DNS lookup limit of ten.

If you include any sending server under the sun, not only will your security be weaker, but it also means your record may hit that limit.

The simplest solution is to remove any email service you no longer use. Just remove the corresponding include or ip4/6 tags and save your record.

‍

Incorrect SPF record syntax

The SPF record’s syntax must be precisely correct for the record to work.

This means that something as simple as a redundant space can render your record useless.

Fortunately, it’s easy to check your record’s syntax. Use Mailivery’s free SPF Syntax Checker below to ensure your record’s syntax is correct:

‍

Using deprecated or insecure mechanisms

Some tags that were once valid in SPF records are now deprecated or no longer recommended.

If you use them in your SPF record, it will not work.

Some of these tags are:

• ptr: Used to perform a reverse DNS lookup, but we strongly discourage you from using it as the mechanism is unreliable and easy to spoof.
• exists: Used to build a custom domain name and check if it resolves to an A record via a DNS query. While this mechanism can still work, it can present a security risk.

‍

Missing all mechanisms

The all mechanism suggests what to do with emails that fail SPF authentication.

The most common all policy settings are:

• ~all = soft fail (recommended when first setting up your SPF record - emails get marked as suspicious but allowed to pass normally)
• -all = hard fail (Emails get sent to spam or rejected outright)
• ?all = neutral

Without an all tag, your SPF record won’t function correctly. It won’t return a definitive result. Consequently, the mail servers will treat it as neutral, depending on server policy.

‍

SPF Explained

You came to this post to set up your SPF record. That’s why we gave you the relevant steps to do so first.

It’s now time to give some background information on what SPF is and how it works.

SPF stands for Sender Policy Framework, an email authentication protocol designed to combat email spoofing.

Wonder what email spoofing is?

Email spoofing is when someone sends an email that looks like it's from a trusted sender, like your company or another trusted domain, but it’s actually fake.

‍

So, how does SPF combat email spoofing?

It lets you decide what sending servers can send from your domain.

Let's say you connect your Google Workspace account to a cold email tool, and your domain is set up to send and receive emails through Google Workspace; then, you must authorize Google to send emails on behalf of your domain.

If you don’t authorize Google’s sending servers, your emails will fail SPF authentication and likely land in the spam folder.

‍

SPF record format

While an SPF record may look like a random line of code, it actually consists of mechanisms (tags), each serving a specific function.

Let’s quickly discuss the most commonly used SPF mechanisms.

Here’s an example of a simple SPF record:

v=spf1 include:mailgun.org ~all

• The v mechanism holds the SPF version number. This is always spf1 until a new version comes into widespread use.
• The include mechanism defines the authorized sending server. If the sending server is an IP number instead of a domain, the ip4 or ip6 tag is used, depending on the type of IP number. You can add multiple include or ip4/6 tags to the record to authorize multiple sending servers as long as your record does not exceed the DNS Lookup limit of ten.
• The all mechanism returns the result when emails fail authentication. -all is the strictest policy, potentially sending emails to spam or rejecting them outright. The all mechanism is not the sole decision-maker regarding unauthorized emails. The server’s configuration and your domain’s DMARC record also play a significant part in what happens to them.

‍

Why Set Up an SPF Record?

A correctly configured SPF record makes your emails more secure and gives you better open rates.

Why does SPF improve inbox placement?

Email providers see that your emails are harder to spoof and reward you by delivering more of your emails to your prospects’ inboxes.

With SPF set up, more people will read your emails, potentially leading to more revenue for your business.

‍

Apart From SPF, What Other Email Authentication Methods Do I Need to Set Up?

Setting up SPF is an essential step toward reaching your prospect’s inbox.

But SPF alone is not enough.

To have the best chance of landing in the inbox and thus converting your prospects, you must also set up:

• DKIM: Prevents emails from being modified after they are sent
• DMARC: Lets you decide what to do with emails that fail SPF and DKIM authentication

‍

What’s the Next Step?

After setting up your domain’s email authentication records, it’s time to warm up your email.

Email warm-up is the process of slowly increasing the number and frequency of the emails you send.

Why is email warm-up important?

It helps build up your sender reputation. You see, if you have a new sending domain, you can’t just start blasting tens of emails per day.

Email service providers do not recognize your domain as a trusted sender yet.

This is where email warm-up comes in. Email warm-up slowly establishes your sender reputation automatically.

Mailivery is an AI-powered email warm-up and deliverability tool designed to enhance your sender reputation and ensure your emails land in the primary inbox rather than the spam folder.

‍

You can try Mailivery’s Starter plan free for 7 days.

‍