To set up SPF, add a TXT record to your domain's DNS with the value: v=spf1 include:_spf.google.com ~all (replace with your ESP's include). The record must list every service that sends email for your domain. Start with your primary email provider, add any third-party senders, and end with ~all or -all. Verify with dig or an online tool.
How to Set Up SPF Records: Step-by-Step Guide
What You Need Before Starting
Before you create an SPF record, you need to know every service that sends email using your domain:
- Primary email provider — Google Workspace, Microsoft 365, Zoho, etc.
- Marketing platforms — Mailchimp, Klaviyo, ActiveCampaign, etc.
- Transactional email services — SendGrid, Postmark, Mailgun, AWS SES, etc.
- CRM systems — HubSpot, Salesforce, etc.
- Other senders — Helpdesks, invoicing systems, booking tools
Make a complete list. Missing even one sender means their emails may fail SPF authentication.
Step 1: Find Your ESP's SPF Include Statement
Each email service has a specific include statement. Here are the common ones:
| Service | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailgun | include:mailgun.org |
| Postmark | include:spf.mtasv.net |
| Mailchimp | include:servers.mcsv.net |
| Klaviyo | include:_spf.klaviyo.com |
| AWS SES | include:amazonses.com |
| HubSpot | include:_spf.hubspot.com |
Check your ESP's documentation for the exact include statement—these occasionally change.
Step 2: Build Your SPF Record
Combine all your senders into a single record:
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all
The structure is:
v=spf1— Required version tag, must come firstinclude:domain— One per sending service~allor-all— What to do with mail from unlisted sources
Practitioner note: I always start clients with
~all(softfail) rather than-all(hardfail). It's much easier to discover missing senders when their mail still gets delivered but marked suspicious, rather than outright rejected.
Step 3: Add the TXT Record to DNS
- Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, etc.)
- Navigate to DNS management for your domain
- Add a new TXT record:
- Host/Name:
@or leave blank (this means root domain) - Type: TXT
- Value: Your SPF string
- TTL: 3600 (1 hour) or use default
- Host/Name:
Don't use the SPF record type even if your DNS provider offers it—the SPF record type is deprecated. Always use TXT.
Step 4: Verify Your SPF Record
Wait 15-30 minutes for DNS propagation, then verify:
Using dig (command line):
dig TXT yourdomain.com +short
Using nslookup (Windows):
nslookup -type=TXT yourdomain.com
Online tools:
- MXToolbox SPF Record Lookup
- Google Admin Toolbox Check MX
You should see your SPF record in the output. If it's not there, check your DNS provider—some take longer to propagate.
Step 5: Test SPF Authentication
Send a test email to a Gmail account, then check the headers:
- Open the email in Gmail
- Click the three dots → "Show original"
- Look for the SPF line in the authentication results
You should see:
spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender)
If you see spf=softfail or spf=fail, your record is missing the sender's include statement.
Common Setup Mistakes
Multiple SPF records: You can only have one. If you see two TXT records starting with v=spf1, delete one and merge them.
Forgetting a sender: That CRM your sales team uses? The booking system for appointments? These all need to be included.
Wrong syntax: No spaces around colons. It's include:sendgrid.net not include: sendgrid.net or include :sendgrid.net.
Hitting the 10 lookup limit: Each include counts as at least one DNS lookup. If you have too many senders, you'll hit the limit and SPF fails. See our SPF 10 DNS lookup limit guide for solutions.
Practitioner note: The most common issue I see is agencies adding an SPF record for their new ESP while forgetting the old one still exists. Run a TXT lookup before adding anything new—you might already have an SPF record that needs updating, not replacing.
Verifying Changes Worked
After any SPF modification:
- Wait for DNS propagation (check with dig or online tool)
- Send test emails from every sending service
- Check authentication headers on received emails
- Monitor for bounces or delivery issues over the next 24-48 hours
For help with the 10 DNS lookup limit, see our dedicated guide. If you use multiple ESPs, see SPF, DKIM, DMARC for multiple senders. For the complete authentication overview, see the email authentication guide. If you need help combining multiple senders into a single SPF record that stays under the lookup limit, schedule a consultation—I'll audit your sending infrastructure and build a clean SPF configuration.
Sources
- RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
- Google Workspace Admin Help: Set up SPF
- Microsoft 365: Set up SPF to help prevent spoofing
- MXToolbox: SPF Record Check
v1.0 · March 2026
Frequently Asked Questions
What should my SPF record look like?
A basic SPF record looks like: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Start with v=spf1, add include statements for each email sender, and end with ~all (softfail) or -all (hardfail).
Where do I add the SPF record in DNS?
Add a TXT record at your root domain (@ or blank host). The value is your SPF string. Most DNS providers have a specific field for TXT records. Don't create an SPF record type—use TXT.
How long does SPF take to propagate?
DNS propagation typically takes 15 minutes to 4 hours, depending on your TTL settings. Some DNS providers propagate faster than others. Use dig or an online tool to check if your record is live.
Can I have multiple SPF records?
No. You can only have one SPF record per domain. Multiple SPF records cause a permerror and authentication fails. If you have multiple senders, combine them into a single record with multiple include statements.
Should I use ~all or -all?
Use ~all (softfail) during testing and when you first set up SPF. Move to -all (hardfail) once you've confirmed all legitimate senders are included. ~all marks failures as suspicious; -all tells receivers to reject them.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.