SPF Records
Sender Policy Framework - Email sender verification
What is SPF?
SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send emails on behalf of your domain, helping prevent email spoofing.
Why is it important?
SPF helps protect your domain from being used in spam and phishing attacks, improves email deliverability, and builds trust with recipients by verifying the authenticity of your emails.
Impact
Without proper SPF configuration, your legitimate emails may be marked as spam or rejected entirely, and attackers can easily impersonate your domain in phishing campaigns.
Current Configuration
- Domainexample.com
- SPF Recordv=spf1 include:_spf.google.com ~all
- PolicySoft Fail (~all)
- DNS Lookups3 of 10 allowed
- Last CheckedDecember 3, 2025 - 10:15 AM
- StatusValid
SPF Mechanisms Explained
- v=spf1SPF version identifier (required)
- include:Include another domain's SPF record
- aAuthorize domain's A record IP addresses
- mxAuthorize domain's MX record IP addresses
- ip4:Authorize specific IPv4 address/range
- ip6:Authorize specific IPv6 address/range
- ~allSoft fail - accept but mark suspicious
- -allHard fail - reject unauthorized senders
SPF Policy Levels
Neutral (?all)
Not RecommendedNo policy is specified. Provides no protection and is essentially the same as having no SPF record.
- No protection
- Accepts all mail
- Easy to spoof
Soft Fail (~all)
RecommendedUnauthorized emails are accepted but marked as suspicious. Good balance between security and deliverability.
- Moderate protection
- Marks suspicious mail
- Safe for most setups
Hard Fail (-all)
Maximum SecurityUnauthorized emails are rejected outright. Provides maximum protection but requires careful configuration.
- Maximum protection
- Rejects unauthorized mail
- Requires careful setup
How to Configure SPF
- Identify all services and servers that send emails on behalf of your domain (email providers, marketing tools, etc.).
- Log in to your domain registrar or DNS hosting provider's control panel.
- Navigate to the DNS management section for your domain.
- Create a new TXT record for your root domain (@) or delete the existing SPF record if updating.
- Add your SPF record. Basic example for Google Workspace:v=spf1 include:_spf.google.com ~all
- If you use multiple services, include them all (but stay under 10 DNS lookups):v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:192.0.2.1 ~all
- Save the DNS record and wait for propagation (typically 15 minutes to 48 hours).
- Test your SPF record using online validation tools.
Common SPF Record Examples
SPF configurations for popular email providers:
Google Workspace:
v=spf1 include:_spf.google.com ~all
Microsoft 365:
v=spf1 include:spf.protection.outlook.com ~all
Multiple Services:
v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net ~all
With Custom IP Addresses:
v=spf1 include:_spf.google.com ip4:192.0.2.0/24 ip6:2001:db8::/32 ~all
SPF Best Practices
- DNS Lookup LimitStay under 10 lookups (includes nested includes)
- Single SPF RecordOnly one SPF record per domain
- Start ConservativeUse ~all before moving to -all
- Regular AuditsReview and update quarterly
- Document ChangesKeep track of why services were added