Configuring SPF

Complete guide to setting up SPF (Sender Policy Framework) records for email authentication. Includes step-by-step instructions, common configurations, and troubleshooting.

Configuring SPF

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and servers are authorized to send email for your domain. This guide covers everything you need to set up SPF correctly.

What is SPF?

SPF works by:

  1. Publishing authorized senders - You list allowed IPs/servers in DNS
  2. Checking sender IP - Receiving servers check if sender IP is authorized
  3. Applying policy - Server accepts, rejects, or marks email based on SPF result

Why SPF Matters

  • Email Authentication - Required by Google, Yahoo, and Microsoft
  • Prevents Spoofing - Blocks unauthorized senders from using your domain
  • Deliverability - Improves inbox placement
  • DMARC Foundation - Required for DMARC to work properly

SPF Record Structure

SPF records are published as TXT records at your domain root:

yourdomain.com  TXT  "v=spf1 include:_spf.google.com include:sendgrid.net -all"

Key Components

ComponentDescriptionExample
VersionAlways starts with v=spf1v=spf1
MechanismsDefine authorized sendersinclude:, ip4:, a:, mx:
QualifiersAction to take+ (pass), - (fail), ~ (softfail), ? (neutral)
ModifiersAdditional instructionsredirect=, exp=

SPF Mechanisms Explained

Include Mechanism

Include another domain's SPF record:

include:_spf.google.com
include:sendgrid.net

Common Includes:

ServiceInclude Statement
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
SendGridinclude:sendgrid.net
Mailchimpinclude:servers.mcsv.net
Amazon SESinclude:amazonses.com
Postmarkinclude:spf.postmarkapp.com
Mandrillinclude:spf.mandrillapp.com
Constant Contactinclude:spf.constantcontact.com
HubSpotinclude:_spf.hubspot.com

IP Address Mechanisms

Specify specific IP addresses or ranges:

ip4:192.168.1.1          # Single IPv4
ip4:192.168.1.0/24       # IPv4 range
ip6:2001:db8::1          # Single IPv6
ip6:2001:db8::/32        # IPv6 range

A and MX Mechanisms

Use domain's A or MX records:

a                    # All A records
a:mail.example.com   # Specific A record
mx                   # All MX records
mx:mail.example.com  # Specific MX record

All Mechanism

Matches everything (must be last):

-all      # Fail (reject) - Recommended
~all      # SoftFail (accept but mark) - Testing
+all      # Pass (allow all) - NOT RECOMMENDED
?all      # Neutral (no policy) - Not recommended

Step-by-Step Setup Guide

Step 1: Inventory Your Sending Sources

List all services and servers sending email from your domain:

Common Sources:

  • Email providers (Google Workspace, Microsoft 365)
  • Marketing platforms (Mailchimp, HubSpot, Constant Contact)
  • Transactional email (SendGrid, Postmark, Amazon SES)
  • Internal mail servers
  • CRM systems (Salesforce, etc.)
  • Help desk systems (Zendesk, etc.)

Step 2: Gather SPF Include Statements

For each third-party service, get their SPF include:

Example for multiple services:

v=spf1
  include:_spf.google.com
  include:spf.protection.outlook.com
  include:sendgrid.net
  include:servers.mcsv.net
  ip4:192.168.1.100
  -all

Note: SPF records must be on a single line in DNS (shown multi-line here for readability).

Step 3: Build Your SPF Record

Combine all your includes and IPs:

Basic Example:

v=spf1 include:_spf.google.com -all

Complex Example:

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ip4:203.0.113.0/24 -all

Step 4: Check DNS Lookup Count

SPF has a 10 DNS lookup limit. Each include, a, mx, and redirect counts.

Count your lookups:

  • include:_spf.google.com = 1 lookup (may expand to more)
  • include:sendgrid.net = 1 lookup
  • ip4:192.168.1.1 = 0 lookups (direct IP)
  • a = 1 lookup
  • mx = 1 lookup

Use MailSentinel to check:

  1. Add your domain
  2. View SPF validation
  3. See lookup count and breakdown

Step 5: Publish DNS Record

Add TXT record to your DNS:

FieldValue
TypeTXT
Host/Name@ or leave blank (root domain)
ValueYour complete SPF record
TTL3600 (1 hour) or default

Important: Only ONE SPF record allowed per domain.

Step 6: Verify SPF Setup

Using MailSentinel

  1. Go to your domain dashboard
  2. Click Check DNS
  3. Verify SPF record is detected
  4. Check lookup count and validation status

Manual Verification

# Using dig
dig TXT yourdomain.com
 
# Using nslookup
nslookup -type=TXT yourdomain.com

Online Tools

Common SPF Configurations

Google Workspace Only

v=spf1 include:_spf.google.com -all

Microsoft 365 Only

v=spf1 include:spf.protection.outlook.com -all

Google Workspace + SendGrid

v=spf1 include:_spf.google.com include:sendgrid.net -all

Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:spf.postmarkapp.com -all

With Internal Mail Server

v=spf1 include:_spf.google.com ip4:203.0.113.100 -all

Subdomain Strategy

For complex setups, use subdomains:

yourdomain.com        → v=spf1 include:_spf.google.com -all
mail.yourdomain.com   → v=spf1 include:sendgrid.net -all
marketing.yourdomain.com → v=spf1 include:servers.mcsv.net -all

SPF Alignment for DMARC

For DMARC to pass, SPF must align with your From: domain:

  • Envelope sender: bounce@mail.yourdomain.com
  • From: domain: yourdomain.com
  • Result: ✅ Passes (subdomain alignment)

Strict Alignment

  • Envelope sender: bounce@yourdomain.com
  • From: domain: yourdomain.com
  • Result: ✅ Passes (exact match)

Misalignment Example

  • Envelope sender: bounce@otherdomain.com
  • From: domain: yourdomain.com
  • Result: ❌ Fails DMARC

Troubleshooting Common Issues

Issue 1: Too Many DNS Lookups

Symptoms:

  • SPF validation fails
  • "too many DNS lookups" error
  • Lookup count exceeds 10

Solutions:

  1. Flatten includes to IP ranges:

    # Instead of:
include:_spf.google.com
 
# Use (if service provides IP list):
ip4:64.18.0.0/20 ip4:64.233.160.0/19 ...

  2. Remove unused services:

    • Audit which services actually send email
    • Remove includes for unused services

  3. Use subdomains:

    • Move some services to subdomains
    • Each subdomain has its own SPF record

  4. Use SPF flattening services:

    • Services like SPF Flattening can help
    • Convert includes to direct IP ranges

Issue 2: Permissive Policy

Symptoms:

  • Using +all or ?all
  • No protection against spoofing
  • DMARC warnings

Solutions:

  • Change to -all (fail) for production
  • Use ~all (softfail) only during testing
  • Never use +all in production

Issue 3: Missing Services

Symptoms:

  • Legitimate emails failing SPF
  • Emails going to spam
  • SPF failures in DMARC reports

Solutions:

  1. Identify failing sources from DMARC reports
  2. Add missing service includes
  3. Add IP addresses if needed
  4. Test after adding

Issue 4: Multiple SPF Records

Symptoms:

  • SPF validation errors
  • Unpredictable behavior
  • "multiple SPF records" warning

Solutions:

  1. Find all SPF records: 
    dig TXT yourdomain.com | grep "v=spf1"
  2. Merge into single record
  3. Remove duplicate records
  4. Verify only one exists

Issue 5: Syntax Errors

Common Syntax Mistakes:

Wrong:

v=spf1 include:_spf.google.com include:sendgrid.net all

Correct:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Common Errors:

  • Missing qualifier before all (should be -all)
  • Extra spaces or line breaks
  • Missing v=spf1 version tag
  • Incorrect mechanism syntax

SPF and Email Providers

Google & Yahoo Requirements (2024)

Bulk senders (5,000+ emails/day):

  • ✅ SPF required (along with DKIM)
  • ✅ DMARC must pass (SPF alignment required)

All senders:

  • ✅ SPF or DKIM required
  • ✅ Valid SPF record recommended

Microsoft Outlook Requirements (2025)

Bulk senders:

  • ✅ SPF and DKIM required
  • ✅ DMARC policy required
  • ✅ SPF alignment with From: domain

Best Practices

1. Start with Monitoring

Begin with ~all (softfail) to monitor:

v=spf1 include:_spf.google.com ~all

Then move to -all after verifying all sources:

v=spf1 include:_spf.google.com -all

2. Document Your Sources

Keep a list of:

  • All sending services
  • Their SPF includes
  • IP addresses used
  • When services were added/removed

3. Regular Audits

Review SPF records quarterly:

  • Remove unused services
  • Add new services
  • Check lookup count
  • Verify alignment

4. Test Before Changes

  • Use SPF testing tools
  • Send test emails
  • Check DMARC reports
  • Monitor for failures

5. Use Subdomains for Complex Setups

If you have many services:

  • Use root domain for primary email
  • Use subdomains for marketing/transactional
  • Each subdomain has focused SPF record

SPF Record Examples by Use Case

Small Business (Google Workspace)

v=spf1 include:_spf.google.com -all

E-commerce (Google + Marketing + Transactional)

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

Enterprise (Multiple Services)

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:servers.mcsv.net include:spf.postmarkapp.com ip4:203.0.113.0/24 -all

Developer (API-Based Sending)

v=spf1 include:sendgrid.net include:spf.postmarkapp.com include:amazonses.com -all

Next Steps

After setting up SPF:

  1. Configure DKIM - Add email signatures
  2. Set Up DMARC - Configure DMARC policy
  3. Monitor SPF - Track validation status
  4. Set Up Alerts - Get notified of issues

Additional Resources