SPF Record Setup Guide — Step-by-Step for 2026

What Is SPF and Why It Still Matters in 2026

Sender Policy Framework (SPF) is a DNS-based email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. Despite being one of the oldest email authentication standards, SPF remains a critical component of the email security triad — alongside DKIM and DMARC — that determines whether your messages reach the inbox or get flagged as spam.

In 2026, SPF record setup is more important than ever. With Google and Yahoo’s bulk sender requirements now fully enforced, Microsoft’s expanded authentication checks, and the ongoing rise in domain spoofing attacks, a properly configured SPF record is non-negotiable for any organization sending email at scale.

This guide walks you through complete SPF configuration — from understanding the syntax to deploying records for major email providers — with practical examples you can implement today.

SPF Record Syntax: Anatomy of a Record

An SPF record is published as a DNS TXT record on your domain. Every SPF record follows a specific structure:

v=spf1 [mechanisms] [qualifier]all

Let’s break down each component:

The Version Tag

Every SPF record must begin with v=spf1. This identifies the TXT record as an SPF record. There is no “v=spf2” — the version has remained at 1 since the protocol’s inception in RFC 7208.

Basic Record Structure Example

v=spf1 ip4:192.168.1.0/24 include:_spf.google.com -all

This record authorizes:

• Any IP in the 192.168.1.0/24 range
• Any server authorized by Google’s SPF record
• Fails all other sources (hard fail via -all)

SPF Mechanisms Explained

Mechanisms are the core directives that define which servers are permitted to send mail. Here’s every mechanism you need to know:

ip4 — IPv4 Address or Range

Authorizes a specific IPv4 address or CIDR range.

v=spf1 ip4:203.0.113.50 ip4:198.51.100.0/24 -all

Use this when you know the exact IP addresses of your mail servers. This is the most precise mechanism and doesn’t consume a DNS lookup.

ip6 — IPv6 Address or Range

Authorizes a specific IPv6 address or range.

v=spf1 ip6:2001:db8::1 ip6:2001:db8::/32 -all

With IPv6 adoption continuing to grow in 2026, always include ip6 mechanisms if your infrastructure supports dual-stack mail delivery.

include — Reference Another Domain’s SPF

Delegates authorization to another domain’s SPF record. This is the mechanism you’ll use most frequently when authorizing third-party email services.

v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all

Important: Each include consumes at least one DNS lookup, and the included domain’s own lookups count against your 10-lookup limit.

a — Domain’s A Record

Authorizes the IP address(es) in the domain’s A record to send mail.

v=spf1 a -all

This means “the same server that hosts my website is allowed to send email.” You can also reference another domain: a:mail.example.com.

mx — Domain’s MX Records

Authorizes the IP addresses of all servers listed in the domain’s MX records.

v=spf1 mx -all

This says “any server that receives mail for my domain is also allowed to send mail.” Each unique MX hostname consumes a DNS lookup.

exists — Macro-Based Existence Check

An advanced mechanism that checks whether a specific DNS A record exists. Used primarily for per-user SPF policies and advanced configurations.

v=spf1 exists:%{i}._spf.example.com -all

redirect — Replace With Another Record

Not technically a mechanism but a modifier — redirect points the entire SPF evaluation to another domain’s record. Unlike include, it completely replaces evaluation rather than adding to it.

v=spf1 redirect=_spf.example.com

SPF Qualifiers: Pass, Fail, SoftFail, Neutral

Qualifiers prefix mechanisms and define what happens when a mechanism matches. There are four qualifiers:

Qualifier	Symbol	Meaning	Recommendation
Pass	+	Authorized (default if omitted)	Implicit — rarely written explicitly
Hard Fail	-	Not authorized, reject the message	Use for production domains with full confidence
Soft Fail	~	Not authorized, but accept with suspicion	Use during migration or testing phases
Neutral	?	No assertion made	Rarely useful — avoid in production

Choosing Between -all and ~all

In 2026, the practical difference between -all (hard fail) and ~all (soft fail) has narrowed significantly. Most receiving servers treat both similarly when combined with a DMARC policy of p=reject or p=quarantine. However, best practice is:

• Use -all when you’re confident you’ve identified all legitimate sending sources
• Use ~all during initial deployment or when you’re still auditing sending sources
• Never use +all — this authorizes the entire internet to send as your domain

SPF Record Setup for Common Providers

Here are ready-to-use SPF configurations for the most common email platforms in 2026:

Google Workspace Only

v=spf1 include:_spf.google.com -all

Microsoft 365 Only

v=spf1 include:spf.protection.outlook.com -all

Amazon SES Only

v=spf1 include:amazonses.com -all

For region-specific SES endpoints:

v=spf1 include:amazonses.com include:ses.us-east-1.amazonaws.com -all

Google Workspace + Amazon SES (Common Setup)

v=spf1 include:_spf.google.com include:amazonses.com -all

Microsoft 365 + SendGrid + Custom Server

v=spf1 include:spf.protection.outlook.com include:sendgrid.net ip4:203.0.113.50 -all

Complex Multi-Provider Configuration

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:amazonses.com include:sendgrid.net -all

Warning: This four-include record is already consuming a significant number of DNS lookups. Always verify your total lookup count after adding providers.

The 10 DNS Lookup Limit

This is where most SPF configurations break. RFC 7208 imposes a strict limit: SPF evaluation must not require more than 10 DNS lookups. Exceeding this limit results in a permerror, and many receivers treat this the same as having no SPF record at all.

What Counts as a Lookup

• include: — 1 lookup (plus the included domain’s own lookups)
• a — 1 lookup
• mx — 1 lookup per MX record resolved
• redirect= — 1 lookup
• exists: — 1 lookup

What Does NOT Count

• ip4: — no lookup required
• ip6: — no lookup required
• all — no lookup required
• The initial TXT record query for your domain’s SPF

How to Check Your Lookup Count

Use command-line tools to recursively resolve your SPF record:

dig TXT example.com +short
dig TXT _spf.google.com +short

Or use online SPF validation tools that visualize the full lookup tree. Count every include, a, mx, redirect, and exists mechanism across all nested records.

Strategies to Stay Under the Limit

1. Replace include with ip4/ip6 — If a provider’s IPs are stable, hardcode them (but monitor for changes)
2. Use SPF flattening — Tools that resolve all includes to IP addresses and publish a flattened record, automatically updating when provider IPs change
3. Consolidate email providers — Fewer services means fewer includes
4. Use subdomains — Send transactional email from mail.example.com with its own SPF record separate from your root domain
5. Remove unused includes — Audit annually; if you stopped using a provider, remove their include

Step-by-Step SPF Record Configuration

Follow these steps to deploy a proper SPF record for your domain:

Step 1: Audit Your Sending Sources

Before writing any DNS record, identify every system that sends email using your domain:

• Corporate email (Google Workspace, Microsoft 365)
• Marketing platforms (Mailchimp, HubSpot, ActiveCampaign)
• Transactional services (SendGrid, Amazon SES, Postmark)
• CRM systems (Salesforce, HubSpot)
• Internal servers (application servers, monitoring systems)
• Help desk systems (Zendesk, Freshdesk)

Step 2: Gather SPF Include Values

Check each provider’s documentation for their required SPF include. Common values:

• Google Workspace: include:_spf.google.com
• Microsoft 365: include:spf.protection.outlook.com
• Amazon SES: include:amazonses.com
• SendGrid: include:sendgrid.net
• Mailchimp: include:servers.mcsv.net
• Postmark: include:spf.mtasv.net

Step 3: Compose Your Record

Build the record with all authorized sources. Start with ~all during testing:

v=spf1 include:_spf.google.com include:amazonses.com ip4:203.0.113.50 ~all

Step 4: Publish the DNS TXT Record

Log into your DNS provider and create (or update) the TXT record:

• Host/Name: @ (root domain) or subdomain
• Type: TXT
• Value: Your SPF record string
• TTL: 3600 (1 hour) during testing, increase to 86400 after validation

Step 5: Validate the Record

After publishing, verify with a DNS query:

dig TXT example.com +short

Confirm only one SPF TXT record exists (multiple SPF records cause failures).

Step 6: Test Email Delivery

Send test emails to Gmail, Outlook, and Yahoo accounts. Check headers for spf=pass in the Authentication-Results header.

Step 7: Upgrade to Hard Fail

After 2–4 weeks of successful delivery with no SPF failures in your DMARC reports, switch from ~all to -all:

v=spf1 include:_spf.google.com include:amazonses.com ip4:203.0.113.50 -all

Common SPF Mistakes and How to Avoid Them

Mistake 1: Multiple SPF Records

A domain must have exactly one SPF TXT record. Publishing two causes permerror on all emails.

Wrong:

v=spf1 include:_spf.google.com -all
v=spf1 include:amazonses.com -all

Correct:

v=spf1 include:_spf.google.com include:amazonses.com -all

Mistake 2: Exceeding the 10 DNS Lookup Limit

Adding every service’s include without counting lookups. Always check the recursive lookup tree before publishing.

Mistake 3: Using +all

This authorizes everyone on the internet to send as your domain. Never use it — not even in testing.

Mistake 4: Forgetting Subdomains

SPF records do not inherit from parent domains. If you send email from notifications.example.com, it needs its own SPF record.

Mistake 5: Stale Records

If you migrated from one provider to another but left the old include, you’re authorizing servers you no longer control. Audit quarterly.

Mistake 6: Using the ptr Mechanism

The ptr mechanism is deprecated in RFC 7208 and should not be used. It’s slow, unreliable, and many receivers ignore it entirely.

Troubleshooting SPF Failures

When SPF checks fail, here’s how to diagnose the issue:

Check the Authentication-Results Header

In any received email, look for the Authentication-Results header:

Authentication-Results: mx.google.com;
    spf=fail (google.com: domain of [email protected] does not
    designate 198.51.100.22 as permitted sender)
    [email protected]

This tells you the exact IP that was checked and why it failed.

Common Failure Scenarios

Symptom	Likely Cause	Fix
spf=fail	Sending IP not in SPF record	Add the IP or provider’s include
spf=permerror	Too many lookups or syntax error	Flatten record or fix syntax
spf=temperror	DNS timeout during lookup	Check DNS server reliability
spf=none	No SPF record found	Publish an SPF record
spf=softfail	IP not authorized, but using ~all	Add the source or switch to -all when ready

Use DMARC Reports for Ongoing Monitoring

DMARC aggregate reports (RUA) reveal every IP that sends email using your domain, along with SPF and DKIM pass/fail results. Review these weekly to catch unauthorized senders and misconfigured services early.

SPF Best Practices for 2026

• Publish SPF on all domains you own — even parked domains should have v=spf1 -all to prevent spoofing
• Combine SPF with DKIM and DMARC — SPF alone is not sufficient; all three work together
• Use subdomain delegation for high-volume transactional mail to keep your root domain’s SPF record lean
• Monitor with DMARC reports — they reveal SPF failures you wouldn’t otherwise know about
• Keep TTLs reasonable — 3600 seconds allows corrections within an hour if you make a mistake
• Document your SPF record — maintain a table mapping each mechanism to the service it authorizes
• Review quarterly — services change, IPs rotate, and unused providers should be removed

Frequently Asked Questions

How long does it take for an SPF record to propagate?

DNS propagation typically takes 15 minutes to 48 hours, depending on TTL settings and caching. With a TTL of 3600, most resolvers will pick up your new record within 1–2 hours.

Can I have more than one SPF record on my domain?

No. RFC 7208 requires exactly one SPF TXT record per domain. Multiple records cause a permerror result, effectively breaking SPF authentication for all your email.

What happens if my SPF record exceeds 10 lookups?

The receiving server returns a permerror, meaning SPF evaluation cannot complete. Most receivers treat this as an SPF failure, which can impact delivery — especially if your DMARC policy relies on SPF alignment.

Does SPF work with email forwarding?

SPF often breaks with traditional email forwarding because the forwarding server’s IP isn’t in the original sender’s SPF record. This is one reason DKIM is essential — it survives forwarding intact. ARC (Authenticated Received Chain) also helps preserve authentication through forwarding hops.

Should I use SPF flattening?

SPF flattening resolves all includes into IP addresses, reducing lookup count. It’s effective but requires automated updates since provider IPs can change. Use a managed flattening service rather than manually maintaining flattened records.

What’s the maximum length of an SPF record?

A single DNS TXT string is limited to 255 characters, but DNS allows multiple strings to be concatenated in one TXT record (up to the overall UDP response limit of 512 bytes without EDNS, or ~4096 bytes with EDNS). Keep your record under 450 characters to ensure reliable resolution across all DNS infrastructure.