Email Deliverability

SPF Records: Protect Your Domain from Email Spoofing

SPF (Sender Policy Framework) is an email authentication standard that prevents spammers from sending emails on behalf of your domain. Learn how to set it up correctly to improve your email deliverability.

SPF Setup Guide

TL;DR

  • SPF specifies which mail servers are authorized to send email from your domain
  • Setup requires adding a single TXT record to your DNS
  • SPF is required by Gmail, Outlook, and other major email providers
  • Common mistakes: too many DNS lookups, missing servers, conflicting records
  • Works with DKIM and DMARC for complete email authentication

What is SPF?

SPF (Sender Policy Framework) is like a bouncer for your email domain. It tells receiving email servers which IP addresses and servers are allowed to send email on behalf of your domain.

When an email is received, the receiving server checks the SPF record in your DNS to verify that the sender is authorized. If the IP address isn't listed in your SPF record, the email may be rejected or marked as spam.

Why SPF is Critical

Without SPF, anyone can forge emails that appear to come from your domain. This leads to:

  • Phishing attacks using your domain
  • Damaged reputation when spammers abuse your domain
  • Delivery issues as providers like Gmail and Outlook require SPF
  • Email spoofing that damages trust with your recipients

How to Setup SPF

Step 1: Identify Your Email Senders

First, list all services that send email from your domain:

  • Your email provider (Google Workspace, Microsoft 365, etc.)
  • Email marketing tools (Mailchimp, SendGrid, etc.)
  • Your website server (for contact forms, notifications)
  • CRM or support systems (Salesforce, Zendesk, etc.)
  • Bulk email tools like ListMailer (via SMTP connections)

Step 2: Create Your SPF Record

An SPF record is a TXT record in your DNS that starts with v=spf1. Here's a basic example: 

v=spf1 include:_spf.google.com include:amazonses.com ~all

Let's break this down:

  • v=spf1 - Version identifier (always required)
  • include:_spf.google.com - Allow Google's mail servers
  • include:amazonses.com - Allow AWS SES servers
  • ~all - Soft fail for everything else (mark as suspicious)

Step 3: Add the SPF Record to DNS

  1. Log in to your DNS provider (Cloudflare, GoDaddy, etc.)
  2. Navigate to DNS management
  3. Add a new TXT record
  4. Leave the name field blank or enter "@" (for the root domain)
  5. Paste your SPF record in the value field
  6. Save the changes

Important: Only have ONE SPF record per domain. Multiple SPF records will break email authentication.

SPF Syntax and Mechanisms

Common SPF mechanisms:

  • ip4:192.0.2.0 - Allow specific IPv4 address
  • ip6:2001:db8:: - Allow specific IPv6 address
  • a - Allow IP addresses in the domain's A record
  • mx - Allow the domain's MX servers
  • include:domain.com - Include another domain's SPF record

Qualifiers (what happens if a mechanism matches):

  • + - Pass (default, can be omitted)
  • - - Fail (reject the email)
  • ~ - Soft fail (mark as suspicious)
  • ? - Neutral (no policy)

Common SPF Mistakes

1. Too Many DNS Lookups

SPF has a limit of 10 DNS lookups. Each include: counts as a lookup. If you exceed this limit, SPF fails entirely.

Solution: Minimize includes. Use IP addresses directly when possible, or use SPF flattening tools.

2. Multiple SPF Records

Having more than one SPF TXT record breaks SPF validation.

Solution: Combine all your mechanisms into a single SPF record.

3. Forgetting Services

Legitimate emails fail SPF if you forget to include a service that sends on your behalf.

Solution: Audit all email-sending services and update your SPF record accordingly.

SPF for Bulk Email

When using ListMailer or other bulk email tools via SMTP:

  • Include the SPF record of your SMTP provider (Gmail, AWS SES, etc.)
  • ListMailer sends through YOUR SMTP connection, so your provider's SPF applies
  • Example for AWS SES: include:amazonses.com
  • Example for Google Workspace: include:_spf.google.com

Testing Your SPF Record

  1. Use online validators like MXToolbox SPF Lookup
  2. Send a test email and check the headers for "SPF=pass"
  3. Use ListMailer's built-in deliverability test tool
  4. Monitor DMARC reports to catch SPF failures

Example SPF Records

Google Workspace only: 

v=spf1 include:_spf.google.com ~all

Google Workspace + AWS SES: 

v=spf1 include:_spf.google.com include:amazonses.com ~all

Multiple services: 

v=spf1 include:_spf.google.com include:amazonses.com include:sendgrid.net ~all

Next Steps

Complete your email authentication setup:

Worried about email deliverability? ListMailer's new testing feature automatically checks your SPF, DKIM, and DMARC setup and provides actionable recommendations. Start testing now →