🔐 Authentication

SPF Record Guide:
Setup, Syntax & Mistakes to Avoid

📅 Updated March 2026⏱ 7 min read📋 Technical Guide

SPF (Sender Policy Framework) is a DNS record that tells the world which servers are allowed to send email on behalf of your domain. Without SPF, receiving servers have no way to verify your emails are legitimate.

💡Quick check: Run a test at CheckEmailDelivery.com to see if your SPF is working correctly.

What is an SPF Record?

An SPF record is a TXT record in your domain's DNS that lists all the servers and services authorized to send email from your domain. Here's a basic example:

v=spf1 include:_spf.google.com ~all

This record says:

  • v=spf1 — This is an SPF version 1 record
  • include:_spf.google.com — Google Workspace servers are authorized
  • ~all — Softfail anything not listed (mark as suspicious)

SPF Syntax Explained

MechanismExampleMeaning
include:include:_spf.google.comInclude another domain's SPF
ip4:ip4:192.0.2.0/24Authorize an IPv4 address/range
ip6:ip6:2001:db8::/32Authorize an IPv6 address/range
aa:mail.example.comAuthorize the A record's IP
mxmxAuthorize all MX servers

Qualifiers (the ending)

-allHard Fail

Reject emails from unlisted servers. Strictest.

~allSoft Fail

Mark as suspicious but accept. Most common.

?allNeutral

No policy. Not recommended.

+allPass All

Allow anyone. Never use this!

Common Provider Includes

Here are the SPF includes for popular email services. Add these to your SPF record if you use them:

ProviderSPF Include
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
SendGridinclude:sendgrid.net
Mailchimpinclude:servers.mcsv.net
Amazon SESinclude:amazonses.com
Zohoinclude:zoho.com
Mailguninclude:mailgun.org
Postmarkinclude:spf.mtasv.net

Common SPF Mistakes

❌ Too many DNS lookups (10 limit)

SPF allows only 10 DNS lookups total. Each include:, a, mx, and redirect counts. If you hit this limit, SPF fails entirely.

Fix: Flatten includes into IP addresses, or use an SPF flattening service.

❌ Multiple SPF records

You can only have ONE SPF record per domain. Two records = both fail.

Fix: Combine all includes into a single TXT record.

⚠️ Using +all

This allows anyone to send email as your domain. Never use +all.

⚠️ Forgetting third-party services

If you use Mailchimp, SendGrid, etc., you need their include in your SPF.

Example SPF Records

Google Workspace Only
v=spf1 include:_spf.google.com ~all
Microsoft 365 + SendGrid
v=spf1 include:spf.protection.outlook.com include:sendgrid.net ~all
Multiple Services
v=spf1 include:_spf.google.com include:servers.mcsv.net include:amazonses.com ~all
🎯Test your SPF: Run a free email test at CheckEmailDelivery.com to verify your SPF is configured correctly.

Related Guides

AUTHENTICATIONHow to Fix DKIMAUTHENTICATIONWhat is DMARC?DELIVERABILITYWhy Emails Go to Spam