SPF records, explained
What an SPF record is, how it works, and why setting it up correctly is essential for keeping your business email out of spam folders.
Your email may look legitimate to you, but if receiving servers don't recognize who sent it, they'll treat it with suspicion. An SPF record is a simple DNS entry that tells the internet which mail servers are authorized to send email from your domain. This guide explains exactly what it is and why it matters.
Quick summary
An SPF record is a DNS TXT record that lists all the mail servers and services permitted to send email from your domain. When someone receives an email from you, their server checks the SPF record to verify the sender. Without a valid SPF record, your emails are more likely to land in spam.
What SPF stands for
SPF stands for Sender Policy Framework. It's been a standard part of email infrastructure since the early 2000s and is now widely required for good email deliverability.
How SPF works
You send an email from you@yourbusiness.com using Google Workspace.
The recipient's mail server receives the email and extracts the sending domain (yourbusiness.com) from the message.
The server looks up your domain's SPF record in DNS.
It checks whether the IP address of Google's sending server is on the authorized list.
If the IP is listed: the email passes SPF and continues to the inbox. If it's not listed: the email may be marked as suspicious or rejected, depending on the DMARC policy.
What an SPF record looks like
An SPF record is a TXT record added to your DNS. Here are common examples:
Google Workspace:
v=spf1 include:_spf.google.com ~allMicrosoft 365:
v=spf1 include:spf.protection.outlook.com ~allMultiple senders (e.g., both Google and Mailchimp):
v=spf1 include:_spf.google.com include:servers.mcsv.net ~allBreaking down the parts
| Part | What it means |
|---|---|
v=spf1 | Declares this is an SPF record version 1 |
include:domain | Authorizes all senders listed in that domain's SPF record |
~all | Soft fail — unauthorized senders should be treated with suspicion (but not automatically rejected) |
-all | Hard fail — unauthorized senders should be rejected |
+all | Allow any sender (very insecure — never use this) |
The ~all vs -all choice
Most providers recommend ~all (soft fail) unless you have strict control over all your sending sources. A hard fail (-all) can cause legitimate email to be rejected if you've missed authorizing a sending service.
If you're not sure which to use, start with ~all and tighten it later with a DMARC policy.
One SPF record per domain
You can only have one SPF record per domain. If you need to authorize multiple sending services (your email provider, a newsletter tool, a CRM), combine them all into one record using multiple include: statements, as shown above.
Don't create duplicate SPF records
If your domain has more than one TXT record starting with v=spf1, the SPF check will fail. All senders must be combined into a single SPF record.
Do I need to create this myself?
Not usually. We add or update SPF records as part of setting up email hosting, migrating email providers, or configuring email marketing tools. If you're seeing deliverability issues, we can check your SPF record and fix it.
Common questions
Related guides
- DKIM records, explained
- DMARC records, explained
- Email DNS records (MX, SPF, DKIM, DMARC)
- DNS records explained (A, CNAME, MX, TXT)
- Why your emails land in spam (deliverability)
Need a hand?
Learn more
Email DNS records (MX, SPF, DKIM, DMARC)
An overview of the four DNS record types that make your business email work correctly and land in inboxes rather than spam.
DKIM records, explained
What a DKIM record does, how it signs your outgoing email to prove it's genuine, and why it matters for email deliverability.