The idea
Your domain probably sends email from more places than you think. Your mailbox provider, your newsletter tool, your invoicing system, your booking platform. SPF is the list that says which of them are yours.
It lives in a TXT record on your domain. When a message arrives claiming to be from you, the receiving inbox looks up that record and compares it to the server the message really came from. If the server is not on the list, the message is treated as suspect.
SPF is one of the three email records that work together. DKIM signs your messages so they cannot be tampered with, and DMARC decides what an inbox should do when the checks fail.
What it looks like
An SPF record is a single line starting with v=spf1, followed by the senders you allow, followed by one instruction about everything else.
Name: @
Type: TXT
Value: v=spf1 include:_spf.google.com include:sendgrid.net ~allEnter the name as @ or leave it blank for the root of your domain, depending on your DNS host. Route 53 wants the fully qualified name instead.
One record. Only ever one.
This is the rule people break most often, and it is worth saying plainly. A domain may have exactly one SPF record. Two records is not "extra coverage". It is a permerror, a hard failure, and it means your SPF is effectively broken for every message you send.
It happens easily. You add Google Workspace, then months later a newsletter tool tells you to "add this TXT record", and now there are two. The fix is to merge them into one line with several include: mechanisms and a single all at the end.
The 10 lookup limit
SPF has a budget. Evaluating a record is allowed to trigger at most ten DNS lookups, and going over is another permerror. Not everything costs a lookup, which is what makes this survivable.
- →These cost a lookup: include, a, mx, exists and redirect. They also nest, so an include you added may quietly spend several of your ten inside someone else's record.
- →These are free: ip4, ip6 and all. Listing a server by its IP address costs you nothing from the budget.
- →The practical consequence: you cannot just keep bolting on includes forever. Every vendor you add spends part of a shared budget you cannot see.
Softfail or fail: an honest disagreement
The last part of the record says what to do about servers that are not on your list. ~all is softfail, meaning "probably not authorised". -all is fail, meaning "not authorised".
Reasonable people disagree here, and we would rather tell you that than pretend there is one answer. Google recommends ~all for Workspace. Microsoft recommends -all for Microsoft 365. Both are defensible.
Our suggestion: start with ~all while you confirm every legitimate sender is passing, then tighten to -all once you are confident. Tightening a record you understand is easy. Debugging bounced invoices is not.
Three things people miss
These come up constantly and none of them are obvious.
- →Subdomains are not covered. Your record at example.com does nothing for mail.example.com. If a subdomain sends email, it needs its own record.
- →Parked domains still need one. A domain you own but never send from should publish v=spf1 -all. That single line tells the world nothing legitimate ever comes from it.
- →Some vendors no longer want an include at all. The trend is toward CNAME delegated Return-Path subdomains instead. SendGrid's Automated Security is on by default and uses that method, so adding include:sendgrid.net is only correct when Automated Security is switched off. Always check what your sender asks for today rather than copying a guide.
Confirmed examples
Two records we can vouch for, if these are your only senders:
Google Workspace: v=spf1 include:_spf.google.com ~all
Microsoft 365: v=spf1 include:spf.protection.outlook.com -all
Parked domain: v=spf1 -allSending from both? Merge them into one record with both includes and one terminal all. Never publish two.
Checking yours
The quickest way to know where you stand is to look. Our free check reads your domain's records and tells you whether you have one SPF record, none, or the duplicate that quietly breaks everything.
We have step by step instructions for every major platform, including the ones that will not let you.
See how to add SPF on your platform