How to Set Up SPF

Step-by-step guide to creating your first SPF record.

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email for your domain. This guide walks you through creating an SPF record from scratch.

Time required: 10-15 minutes
Prerequisites: Access to your DNS provider

Step 1: Identify Your Email Services

First, make a list of all services that send email as your domain. Common examples include:

Service TypeExamples
Email hostingGoogle Workspace, Microsoft 365, Zoho
Marketing emailMailchimp, HubSpot, Constant Contact
Transactional emailSendGrid, Mailgun, Amazon SES, Postmark
CRM/Sales toolsSalesforce, Freshdesk, Zendesk
Custom serversYour own mail server IPs

Step 2: Get SPF Include Statements

Each email service has a specific SPF include statement. Here are the most common ones:

# Email Hosting
Google Workspace:    include:_spf.google.com
Microsoft 365:       include:spf.protection.outlook.com
Zoho:                include:zoho.com

# Marketing Email
Mailchimp:           include:servers.mcsv.net
HubSpot:             include:spf.hubspot.com
Constant Contact:    include:spf.constantcontact.com

# Transactional Email
SendGrid:            include:sendgrid.net
Mailgun:             include:mailgun.org
Amazon SES:          include:amazonses.com
Postmark:            include:spf.mtasv.net

# CRM/Support
Salesforce:          include:_spf.salesforce.com
Zendesk:             include:mail.zendesk.com
Freshdesk:           include:email.freshdesk.com
Intercom:            include:mail.intercom.io

Step 3: Build Your SPF Record

Combine your includes into a single SPF record. Here's the format:

v=spf1 [include statements] [ip addresses] -all

Example for a company using Google Workspace and Mailchimp:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Example with Microsoft 365, SendGrid, and a custom server:

v=spf1 include:spf.protection.outlook.com include:sendgrid.net ip4:203.0.113.50 -all

Step 4: Add the DNS Record

  1. Log into your DNS provider (Cloudflare, Route 53, GoDaddy, etc.)
  2. Navigate to DNS settings for your domain
  3. Create a new TXT record with these settings:
    Name: @ (or leave blank for root domain)
Type: TXT
Value: v=spf1 include:_spf.google.com include:servers.mcsv.net -all
TTL: 3600 (or 1 hour)
  4. Save the record

Step 5: Verify Your SPF Record

Wait a few minutes for DNS propagation, then verify your record:

# Using dig
dig TXT example.com +short

# Or use MimeProtect's scanner
https://mimeprotect.io/test

Watch for the 10 Lookup Limit

SPF has a limit of 10 DNS lookups. Each include: counts as a lookup. If you exceed this limit, SPF will fail. Our scanner shows you how many lookups you're using.

Common Mistakes to Avoid

Multiple SPF records

You can only have ONE SPF record. Combine all includes into a single record.

Using +all

Never use +all—it allows anyone to spoof your domain. Use -all (hard fail).

Forgetting a service

If you forget to include a service, their emails will fail SPF. Audit all email-sending services.

Checklist

Listed all email-sending services
Created single SPF record with all includes
Using -all (not ~all or +all)
Verified record resolves correctly
Under 10 DNS lookups

Next Steps

Now that SPF is configured, continue with: