How to Create and Implement an SPF Record for Email Security
If mail from your domain is landing in spam, getting rejected, or being abused in phishing campaigns, the first thing to check is your SPF record. SPF, or Sender Policy Framework, is a DNS-based email authentication method that tells receiving mail servers which systems are allowed to send email for your domain.
This guide shows you how to create SPF record entries correctly, how SPF works during delivery, and how to deploy it without breaking legitimate mail flow. You’ll also see how to avoid the most common errors, how to test what you publish, and why SPF should be paired with DKIM and DMARC for stronger protection.
SPF answers one question: “Is this server allowed to send mail for this domain?” It does not prove who wrote the message, but it does help receiving systems decide whether to trust the sender infrastructure.
What an SPF Record Is and How It Works
An SPF record is a DNS TXT record that publishes your domain’s email sending policy. In practical terms, it lists the servers, IP addresses, or third-party services that are authorized to send email on your behalf. When a recipient server receives a message, it checks the domain used in the envelope sender or return-path against that policy.
That distinction matters. The visible From address is what people see in their inbox, but SPF is evaluated against the domain used in the SMTP transaction. Those are often the same, but not always. Marketing platforms, help desk tools, and transactional email providers may send on your behalf using their own infrastructure while displaying your company’s name in the visible headers.
The basic SPF string starts with v=spf1 and then adds mechanisms such as include, ip4, mx, or all. The receiving system evaluates the policy at delivery time and returns a result such as pass, fail, soft fail, or neutral. That result can influence whether a message is accepted, quarantined, or flagged for review.
Note
SPF is only one layer of email authentication. For real protection against spoofing and impersonation, pair it with DKIM and DMARC so receivers can verify both the sending source and message integrity.
Microsoft documents how mailbox providers evaluate authentication results in message handling, and the same general model applies across major mail systems. For official background, see Microsoft Learn and the SPF specification in RFC 7208.
Why SPF Matters for Email Security and Deliverability
SPF matters because it makes domain spoofing harder. Without it, an attacker can send a message that appears to come from your domain, and the receiving server has less evidence that the sender is fake. With a properly built policy, the recipient can compare the sending IP or authorized service against your published DNS record and reject obvious abuse.
That security benefit also supports deliverability. Mailbox providers use authentication signals as part of their trust model. If your legitimate messages consistently pass SPF, that becomes one more indicator that your domain is being managed correctly. If your messages fail SPF, especially alongside missing DKIM or DMARC alignment, they are more likely to hit junk folders or be rejected outright.
There is also a reputation angle. A domain with clean authentication records is easier for major providers to trust over time. That matters for password resets, invoices, HR notifications, and any operational email that users need to receive without friction. When those messages fail, the issue is not just technical; it becomes a business problem quickly.
Good email authentication does not guarantee inbox placement, but poor authentication can absolutely hurt it.
For a broader view of threat trends, the Verizon Data Breach Investigations Report consistently shows phishing and credential abuse as persistent issues, which is why reducing spoofing matters operationally. For guidance on how message authentication fits into the larger control stack, NIST’s email and security guidance is a useful reference, including NIST CSRC materials on security controls and authentication.
Gathering the Information You Need Before You Build the Record
Before you add a SPF record, you need a complete inventory of every system that sends mail for your domain. This is where many configurations fail. IT knows about Microsoft 365 or Google Workspace, but marketing may also be using a campaign platform, the website may send contact form notifications, and finance may use another cloud application for invoices.
Start by listing every legitimate sender. Include internal mail servers, SaaS platforms, ticketing tools, CRM systems, HR portals, and transactional services. If one service sends password resets and another sends receipts, both may need to be included. If a vendor uses shared sending infrastructure, you will usually need an include mechanism rather than a direct IP address.
What to collect before publishing
- Source system name and business owner
- Sending domain or subdomain
- IP address if you control the server directly
- Vendor SPF instructions if the service is hosted externally
- Whether the service sends from the root domain or a subdomain
- Whether the sender changes frequently, which is common with SaaS platforms
If you use multiple email environments, map them carefully. A marketing platform might send from mail.example.com while your help desk uses support.example.com. A single SPF record on the root domain does not magically cover every subdomain unless you explicitly publish policies there or the service uses your domain in a way that requires alignment.
For DNS administration best practices, your registrar or DNS provider’s documentation is the first place to check. If you manage mail in Microsoft 365, review Microsoft’s SPF setup guidance. If you use Google Workspace, use the official domain authentication documentation from Google Workspace Admin Help.
Understanding SPF Syntax and Common Mechanisms
An SPF policy is compact, but each part has a specific purpose. The record begins with v=spf1, which tells receivers they are looking at SPF version 1. After that come one or more mechanisms that authorize sending sources. The record ends with an all mechanism that defines how to handle anything not explicitly allowed.
The most common mechanism is include. This says, “Trust the SPF policy published by another domain too.” It is the standard approach for services like email marketing platforms or SaaS tools that publish their own authorized sender lists. ip4 and ip6 authorize specific IPv4 or IPv6 addresses. Use these when you own the sending server and know the IP will remain stable.
The a mechanism authorizes the IP address found in the domain’s A record, while mx authorizes the mail servers listed in the domain’s MX record. Those can be convenient, but only use them if that matches how your mail flow actually works. Otherwise, you may authorize more than you intended.
SPF qualifiers that matter
- +pass is usually implicit and means the sender is authorized
- ~all means soft fail and is often used during testing
- -all means hard fail and tells receivers to reject unauthorized senders
- ?all means neutral and provides no strong policy signal
Most production setups eventually move toward -all once the sender inventory is stable and tested. During migration or cleanup, ~all is safer because it reduces the chance of blocking legitimate messages while you confirm every sender is listed. The official specification in RFC 7208 explains the syntax and evaluation model in detail.
How to Draft a Safe and Effective SPF Policy
The safest SPF policy is the one that matches your real email environment and nothing more. That sounds obvious, but it is easy to overbuild a record by copying examples from the internet. A bloated SPF record can create delivery problems, especially when you add services that do not actually send mail for your domain.
Start narrow. Add only the systems that truly send on your behalf. If a platform can send from a subdomain instead of your main domain, isolate it there. That keeps the root policy simpler and reduces risk. If you are still migrating systems, use a conservative policy such as ~all while you test, then move to -all after verification.
Think about change management too. Email environments shift often. Marketing subscriptions change, a new CRM gets deployed, or an old server is retired. Every one of those changes can break SPF if the DNS record is not updated at the same time.
Pro Tip
Document each SPF mechanism with the business reason for adding it. Six months later, that note can save hours when someone asks why a third-party domain is in your policy.
For policy and governance context, NIST guidance and the CISA cybersecurity resources are useful references for building practical, maintainable controls. The same principle applies here: keep the control aligned with real operations, not theoretical possibilities.
Step-by-Step Process for Creating the SPF Record in DNS
Once you know which systems send email, you can create SPF record entries in DNS. The process is straightforward, but one small syntax mistake can make the record fail. DNS does not forgive sloppy formatting.
Follow these steps
- Log in to your DNS host or registrar and open the DNS management page.
- Create a TXT record for the root domain or the specific subdomain that sends mail.
- Enter the SPF string exactly, including the version tag and all mechanisms.
- Save the record and wait for DNS propagation.
- Verify there is only one SPF TXT record for the same hostname.
A common example looks like this: v=spf1 include:_spf.google.com ~all. That says the domain authorizes Google Workspace sending infrastructure and uses a soft fail for everything else. If your environment includes another platform, you would add that vendor’s SPF policy as well, but only after confirming it is really needed.
Be careful with the record location. Some providers require the SPF record at the root domain, while others use a subdomain such as mail.example.com. If you publish the policy in the wrong place, receiving servers may never see it during SPF evaluation.
One domain, one SPF record. Multiple SPF TXT records at the same hostname often cause receivers to treat the policy as invalid or unpredictable.
For vendor-specific setup, always use the official guidance. See Google Workspace Admin Help, Microsoft Learn, and the DNS management documentation from your provider.
Examples of SPF Records for Common Email Setups
Below are practical examples you can adapt after confirming your actual senders. The goal is not to copy these blindly. The goal is to understand the pattern and then match it to your environment.
Single-service setup
If your domain sends only through Google Workspace, a simple starting record might be:
v=spf1 include:_spf.google.com ~all
This is common for organizations with no other outbound email systems. It authorizes Google’s published sending infrastructure and soft fails anything else until you are ready to enforce a stricter policy.
Multiple services, such as Google Workspace plus Mailchimp
If you use Google Workspace for employee mail and a marketing platform for newsletters, your record may need to include both authorized senders. A typical pattern would look like:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
That structure allows both services to send mail on your behalf. This is the kind of situation where people search for how to add mailchimp to SPF, but the right answer is always to use the exact SPF instructions published by the vendor.
Custom mail server with a static IP
If you operate your own mail server and know the public IP address, use the ip4 mechanism:
v=spf1 ip4:203.0.113.10 -all
This is stricter because it hard fails any sender that is not that specific IP. It works well when you control the infrastructure and have stable network addresses.
| SPF Pattern | Best Use Case |
include: |
SaaS email platforms with their own published SPF policy |
ip4: |
Fixed IPv4 address for a controlled mail server |
mx |
Mail servers listed in the domain’s MX record |
~all or -all |
Soft fail during testing or hard fail for enforcement |
For authoritative vendor guidance, always check the service provider’s own documentation before publishing. That is the only reliable way to avoid subtle mistakes in forwarding rules, shared infrastructure, or region-specific sender pools.
Testing and Validating Your SPF Record
Testing is where a lot of SPF work gets either confirmed or exposed. After you publish the record, verify that DNS is returning the right value and that the syntax is valid. A record can look correct in your DNS console and still fail due to formatting, duplication, or an extra character.
Ways to validate your record
- Use DNS lookup tools to confirm the TXT record is visible publicly
- Inspect the raw message headers of a test email to view SPF results
- Send messages to major providers and compare how they evaluate authentication
- Check for syntax errors, including misplaced spaces or invalid mechanisms
On a Linux or macOS terminal, you can use dig TXT example.com to confirm the record published in DNS. On Windows, nslookup -type=txt example.com can provide a quick check. These tools do not validate business intent, but they do confirm whether the DNS answer is present and formatted in a way resolvers can read.
Then send a test message and inspect the headers. Look for the SPF authentication result and the evaluated sender domain. If the result is pass, the sender matched the published policy. If it is soft fail or fail, something in the path does not line up with your record.
Key Takeaway
Always test after publishing and again after any sender change. A clean SPF record today can become stale the next time a vendor changes IPs or a new platform starts sending mail.
For message handling behavior and mailbox provider expectations, see official resources from Microsoft Learn and the email authentication guidance from your mail provider. For independent standards context, RFC 7208 remains the core technical reference.
Common SPF Mistakes and How to Avoid Them
Most SPF failures come from a short list of avoidable problems. The first is publishing more than one SPF record for the same hostname. SPF expects a single policy record per domain, and duplicate records can trigger validation failures or undefined behavior.
The second issue is the SPF lookup limit. Every include, a, mx, or related mechanism can cause DNS lookups, and SPF has a strict limit on how many lookups a receiver should perform. If the record becomes too complex, authentication can fail even if each individual piece looks valid. This is a common problem for organizations that add service after service without pruning old entries.
Other mistakes that cause problems
- Typos in included domains
- Wrong IP formatting in
ip4orip6 - Authorizing services that never send mail
- Using the wrong hostname when the sender is actually a subdomain
- Forgetting to remove old services after a migration
Another frequent mistake is assuming SPF alone can solve all email authentication issues. It cannot. Forwarding can break SPF because the forwarding server may not be authorized by the original domain. In those cases, DKIM and DMARC become even more important because they add authentication and policy layers that SPF cannot provide by itself.
For best-practice guidance on email authentication and message handling, consult the official documentation for your email platform and the standards source at RFC Editor. If you want broader security control context, the NIST CSRC library remains a strong reference point for policy-driven technical controls.
SPF Limitations and Best Practices for Stronger Email Authentication
SPF authenticates the sending server, not the message content and not necessarily the visible From address alone. That means it is valuable, but incomplete. Attackers can still exploit brand impersonation in ways SPF does not fully solve, especially when using lookalike domains or compromised accounts.
Forwarding is another weak point. If a message passes through an intermediate mail system, the forwarding server’s IP may not be authorized by the original SPF policy. That can produce a fail even when the message is legitimate. This is one reason organizations combine SPF with DKIM and DMARC. DKIM adds a cryptographic signature to the message, while DMARC ties authentication results to the visible From domain and defines how receivers should treat failures.
Best practice is to keep SPF simple, documented, and aligned with real sender behavior. If the record becomes too long or opaque, maintenance suffers and mistakes multiply. A shorter, well-managed policy is usually better than a highly engineered one that nobody wants to touch.
SPF is foundational, not final. If you stop at SPF, you are reducing risk, but you are not building a complete email authentication strategy.
For a standards-based perspective on email protection, review DMARC.org for implementation concepts, and cross-check with your mail provider’s official documentation. If your organization operates in regulated environments, align your email controls with broader policy frameworks such as NIST guidance and internal governance requirements.
Maintenance, Monitoring, and Ongoing SPF Management
SPF is not a set-it-and-forget-it record. The biggest long-term risk is drift. A vendor changes infrastructure, someone starts using a new platform, or a retired system remains listed long after it has been shut down. The record still exists, but it no longer reflects reality.
Build a recurring review into your administration process. Quarterly is a sensible baseline for most organizations, and monthly may be better if your marketing or cloud app stack changes often. During the review, compare the SPF record against the actual sender inventory and remove anything that is no longer needed.
What to monitor over time
- Authentication failures in mailbox provider reports
- Delivery complaints from users and support teams
- New SaaS platforms that send mail without IT review
- Vendor infrastructure changes that require SPF updates
- Unused authorizations that should be removed
Coordinate among IT, marketing, operations, and security so nobody introduces an unapproved sender. A new CRM trial, a forgotten ticketing tool, or a developer test server can all create outbound mail surprises. The more distributed your tooling is, the more important ownership and change control become.
If you want a disciplined operational model, treat SPF like a living DNS policy. Document the owner, purpose, last review date, and the reason each mechanism exists. That makes audits easier and reduces the chance of a future outage caused by stale policy data. For security governance and workforce alignment, resources from NIST and the Cybersecurity and Infrastructure Security Agency are good references for control maintenance discipline.
Conclusion
To create SPF record entries that actually help, you need more than a syntax string. You need an accurate sender inventory, a policy that matches reality, clean DNS publishing, and a maintenance process that keeps the record current.
The workflow is simple when you break it down: inventory your senders, choose the right mechanisms, publish the TXT record, test it, and review it regularly. If you are wondering what is SPF in practical terms, the answer is straightforward: it is one of the simplest ways to reduce spoofing and improve trust in your outbound mail.
Do not stop at SPF alone. Use it alongside DKIM and DMARC so receiving systems have more than one signal to evaluate. That layered approach is what gives legitimate mail a better chance of reaching the inbox while making unauthorized mail harder to pass off as yours.
If you are implementing email SPF for the first time, start small and verify every sender before you enforce a hard fail. If you already have a record, audit it now. Stale email authentication settings are a common cause of delivery problems, and they are usually easy to fix once you know where to look.
Bottom line: a correct SPF record helps legitimate mail get delivered and unauthorized mail get challenged. That is a low-effort, high-value control worth keeping current.
Microsoft® is a registered trademark of Microsoft Corporation. Google® is a registered trademark of Google LLC.