How To Set Up an SPF Record (Step-by-Step)
If you've been told your emails are landing in spam, or your email provider asked you to "set up SPF," you're in the right place. SPF sounds technical, but the concept is straightforward — and you don't need to be a developer to get it done.
This guide walks you through exactly what SPF is, why it matters, and how to set it up correctly, step by step.
What Is an SPF Record?
SPF stands for Sender Policy Framework. It's a type of DNS record that tells the world which mail servers are allowed to send email on behalf of your domain.
Think of it like an authorized senders list. When someone receives an email from your domain, their mail server checks your SPF record to verify the email came from a legitimate source. If the sending server isn't on your list, the email may be marked as spam or rejected outright.
Without an SPF record, you have no way of telling receiving servers that your emails are genuine — and that hurts deliverability.
Before You Start
You'll need two things before creating your SPF record:
- Access to your domain's DNS settings. This is usually through your domain registrar (GoDaddy, Namecheap, Cloudflare, Google Domains, etc.). Log in and find the DNS management area.
- A list of services that send email for your domain. This might include your email host (like Google Workspace or Microsoft 365), your email marketing platform, your CRM, or a dedicated sending service.
Getting that second list right is important. If you miss a service, emails sent through it may fail SPF checks.
How to Build Your SPF Record
An SPF record is a TXT record in your DNS. Here's what a basic one looks like:
v=spf1 include:_spf.google.com ~all
Let's break that down piece by piece:
- v=spf1 — This tells DNS servers this is an SPF record. Always starts here.
- include:_spf.google.com — This authorizes Google's mail servers to send on your behalf. You'll replace or add to this based on which services you use.
- ~all — This is the "catch-all" rule. It tells receiving servers what to do with mail from servers not listed in your record. A tilde (~) means "soft fail" — treat it with suspicion but don't outright reject it. A hyphen (-) means "hard fail" — reject it. Most senders start with ~all and move to -all once they're confident everything is set up correctly.
Common Include Statements by Provider
Add the relevant include: statement for each service you send email through:
- Google Workspace: include:_spf.google.com
- Microsoft 365: include:spf.protection.outlook.com
- Mailchimp: include:servers.mcsv.net
- SendGrid: include:sendgrid.net
- Mailgun: include:mailgun.org
If you use a dedicated sending service like Rainmail, they'll provide you with the specific include statement to add for your account.
Step-by-Step: Adding Your SPF Record
Step 1: Log In to Your DNS Provider
Go to the website where you registered your domain, or wherever your DNS is managed. Navigate to the DNS settings or DNS management section.
Step 2: Check for an Existing SPF Record
Search your existing TXT records for any record that starts with v=spf1. You should only ever have one SPF record per domain. If you already have one, you'll need to edit it rather than create a new one — multiple SPF records will break things.
Step 3: Create or Edit the TXT Record
If you're creating a new record, add a TXT record with these settings:
- Type: TXT
- Name/Host: @ (this means your root domain, e.g. yourdomain.com)
- Value/Content: Your full SPF record (e.g. v=spf1 include:_spf.google.com include:servers.mcsv.net ~all)
- TTL: 3600 (or the default your provider sets)
Step 4: Save and Wait for Propagation
Save the record. DNS changes typically propagate within a few minutes to a few hours, though occasionally it can take up to 48 hours. You won't need to do anything during this time — just wait.
Step 5: Test Your SPF Record
Once propagation is complete, verify your record is set up correctly. You can use the free deliverability checker to see whether your SPF record (as well as DKIM and DMARC) is valid and properly configured.
Common SPF Mistakes to Avoid
- Having more than one SPF record. Only one TXT record starting with v=spf1 is allowed per domain. Combine everything into a single record.
- Exceeding 10 DNS lookups. Each include: statement triggers a DNS lookup. SPF allows a maximum of 10. If you send through many services, you may need to consolidate or use a flattening tool.
- Forgetting a sending service. If you set up a new email tool later, remember to update your SPF record to include it.
- Using -all too early. A hard fail will reject mail from any server not listed. Only use this once you're certain your record is complete and accurate.
SPF Is Just One Piece of the Puzzle
SPF is essential, but it works best alongside DKIM and DMARC. Together, these three records form the foundation of email authentication and significantly improve your chances of reaching the inbox. If you're not sure whether all three are set up correctly for your domain, it's worth checking.
Services like Rainmail are built specifically to help senders get authentication right from the start — and to manage ongoing deliverability so your emails actually land where they're supposed to.
Getting SPF right is one of the most impactful things you can do for your email deliverability. Take the time to do it properly, and your inbox placement will thank you.