Skip to content
Pricing RU Sign In
RU

How to Set Up an SPF Record for Your Domain

By · Updated
Key idea:

SPF (Sender Policy Framework) is a DNS TXT record listing IPs and servers allowed to send mail on behalf of your domain. Without SPF, Gmail/Yandex.Mail/Mail.ru drop mail into spam. Minimum record: v=spf1 ip4:YOURIP -all. For Google Workspace: v=spf1 include:_spf.google.com ~all. Verify via the DNS checker.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

  1. List every service sending mail from your domain (Mailchimp, Google Workspace, own server, Yandex Mail Pro)
  2. Open your registrar's DNS panel (REG.RU, Timeweb, Cloudflare)
  3. Create a TXT record with name @ (domain apex)
  4. Value: v=spf1 include:provider1 include:provider2 -all
  5. Wait for propagation (up to 24 hours)
  6. Verify via Enterno DNS Checker — enter domain, select TXT
  7. Send a test email to check-auth@verifier.port25.com — receive an auto-report

Working Examples

ScenarioConfig / Record
Google Workspace onlyv=spf1 include:_spf.google.com ~all
Yandex360 onlyv=spf1 redirect=_spf.yandex.net
Google + Mailchimp + own IPv=spf1 ip4:203.0.113.10 include:_spf.google.com include:servers.mcsv.net ~all
Mailgunv=spf1 include:mailgun.org ~all
Block all sending (parked domain)v=spf1 -all

Common Pitfalls

  • Multiple SPF records on the same domain = invalid (RFC 7208). Merge into one.
  • More than 10 DNS lookups (via include) → SPF permerror. Count nested includes.
  • +all instead of -all allows any source and defeats SPF
  • SPF is not needed to receive mail — only to send from the domain
  • Forgetting to add a new provider (e.g. Sendinblue) → mail goes to spam

Related guides

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Related tools

SSL CheckWHOISPing & PortsSecurity Check

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

What is the difference between ~all and -all?

<code>~all</code> (softfail) marks mail as suspicious but may still deliver. <code>-all</code> (hardfail) rejects it. Start with <code>~all</code>, switch to <code>-all</code> after 1-2 clean weeks.

Do I need SPF if I have DKIM?

Yes — they are different mechanisms. SPF verifies the sender IP, DKIM signs content. DMARC requires at least one to align. Configure both.

Can I use multiple includes?

Yes, as long as you do not exceed 10 total DNS lookups (including nested).

How do I see my current SPF?

Via <a href="/en/dns">Enterno DNS Checker</a> — enter domain, pick TXT, view all TXT including SPF. Or: <code>dig TXT example.com</code>.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation