Skip to content

How to Set Up an SPF Record for Your Domain

Key idea:

SPF (Sender Policy Framework) is a DNS TXT record listing IPs and servers allowed to send mail on behalf of your domain. Without SPF, Gmail/Yandex.Mail/Mail.ru drop mail into spam. Minimum record: v=spf1 ip4:YOURIP -all. For Google Workspace: v=spf1 include:_spf.google.com ~all. Verify via the DNS checker.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your domain's DNS →

Step-by-Step Setup

  1. List every service sending mail from your domain (Mailchimp, Google Workspace, own server, Yandex Mail Pro)
  2. Open your registrar's DNS panel (REG.RU, Timeweb, Cloudflare)
  3. Create a TXT record with name @ (domain apex)
  4. Value: v=spf1 include:provider1 include:provider2 -all
  5. Wait for propagation (up to 24 hours)
  6. Verify via Enterno DNS Checker — enter domain, select TXT
  7. Send a test email to check-auth@verifier.port25.com — receive an auto-report

Working Examples

ScenarioConfig / Record
Google Workspace onlyv=spf1 include:_spf.google.com ~all
Yandex360 onlyv=spf1 redirect=_spf.yandex.net
Google + Mailchimp + own IPv=spf1 ip4:203.0.113.10 include:_spf.google.com include:servers.mcsv.net ~all
Mailgunv=spf1 include:mailgun.org ~all
Block all sending (parked domain)v=spf1 -all

Common Pitfalls

  • Multiple SPF records on the same domain = invalid (RFC 7208). Merge into one.
  • More than 10 DNS lookups (via include) → SPF permerror. Count nested includes.
  • +all instead of -all allows any source and defeats SPF
  • SPF is not needed to receive mail — only to send from the domain
  • Forgetting to add a new provider (e.g. Sendinblue) → mail goes to spam

TL;DR: How to Set Up an SPF Record

To set up an SPF record, create a TXT record in your DNS settings with the format v=spf1 include:example.com -all. Replace example.com with your domain or the domains of your email service providers. This record specifies which mail servers are permitted to send emails on behalf of your domain, enhancing email security and deliverability.

Understanding SPF Records

Sender Policy Framework (SPF) is an email authentication protocol designed to prevent spammers from sending messages on behalf of your domain. An SPF record is a type of DNS record that lists the IP addresses or hostnames of authorized mail servers for your domain. When an email is sent, the receiving mail server checks the SPF record to verify that the email comes from an authorized source.

SPF records are crucial for maintaining your domain's reputation and ensuring that your emails reach their intended recipients. Without a proper SPF record, your emails are more likely to be flagged as spam or rejected entirely. The SPF specification is defined in RFC 7208.

Components of an SPF Record

An SPF record typically consists of several components, including:

  • Version: This indicates the SPF version used, typically v=spf1.
  • Mechanisms: These specify which IP addresses or domains are authorized. Common mechanisms include:
    • ip4: Specifies an IPv4 address or range.
    • ip6: Specifies an IPv6 address or range.
    • include: Allows the inclusion of another domain's SPF record.
    • all: Matches any source, typically used at the end of the record.
  • Modifiers: Optional parameters that provide additional instructions, such as exp: for explanations.

For example, a simple SPF record might look like this:

v=spf1 ip4:192.0.2.1 include:mail.example.com -all

This record indicates that emails from your domain can be sent from the IP address 192.0.2.1 and any server listed in mail.example.com.

Step-by-Step Guide to Setting Up Your SPF Record

Setting up an SPF record involves several steps, from accessing your DNS settings to verifying the configuration. Follow this detailed guide to ensure proper implementation:

  1. Access Your DNS Management Console: Log in to your domain registrar or hosting provider where your DNS is managed. This may be services like GoDaddy, Namecheap, or Cloudflare.
  2. Locate the DNS Settings: Navigate to the DNS management section. This may be labeled as DNS Settings, DNS Management, or Zone File Settings.
  3. Add a New TXT Record: Create a new TXT record. The fields typically include:
    • Name: Enter your domain or subdomain (e.g., @ for the root domain).
    • Type: Select TXT.
    • Value: Enter your SPF record (e.g., v=spf1 ip4:192.0.2.1 include:mail.example.com -all).
  4. Save Your Changes: Ensure to save or apply the changes in your DNS settings. DNS propagation may take anywhere from a few minutes to 48 hours.
  5. Verify Your SPF Record: Use tools like MXToolbox or Kitterman SPF Validator to check the validity of your SPF record. Input your domain and analyze the results.
  6. Monitor Email Deliverability: After setting up your SPF record, monitor your email deliverability. Use analytics tools to track email performance and adjust your SPF record as necessary.

For example, if you're using Google Workspace for your email, your SPF record may look like this:

v=spf1 include:_spf.google.com ~all

This configuration allows Google’s servers to send emails on behalf of your domain while marking other sources as suspect.

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Learn more

Frequently Asked Questions

What is the difference between ~all and -all?

<code>~all</code> (softfail) marks mail as suspicious but may still deliver. <code>-all</code> (hardfail) rejects it. Start with <code>~all</code>, switch to <code>-all</code> after 1-2 clean weeks.

Do I need SPF if I have DKIM?

Yes — they are different mechanisms. SPF verifies the sender IP, DKIM signs content. DMARC requires at least one to align. Configure both.

Can I use multiple includes?

Yes, as long as you do not exceed 10 total DNS lookups (including nested).

How do I see my current SPF?

Via <a href="/en/dns">Enterno DNS Checker</a> — enter domain, pick TXT, view all TXT including SPF. Or: <code>dig TXT example.com</code>.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.