How to Set Up an SPF Record

SPF is published as a single TXT record at your domain's apex. A typical record looks like this:

• v=spf1 — marks this as an SPF record. Every SPF record starts with it.
• include: — authorizes another domain's senders (your email or marketing provider gives you these).
• ip4: / ip6: — authorize specific IP addresses, such as your own mail server.
• a / mx — authorize the hosts in your A or MX records.
• ~all — the qualifier that applies to everything else. -all is a hard fail, ~all a soft fail.

1. List your senders. Note every service that sends mail as your domain — your mailbox provider, marketing platform, transactional email service, helpdesk, CRM, and your own servers.
2. Collect each sender's SPF mechanism. Most providers document an include: value to use.
3. Combine them into one record. Build a single v=spf1 … string containing every mechanism, ending in ~all (or -all once you are confident).
4. Publish the TXT record at your domain root (the @ or apex host) in your DNS provider.
5. Wait for propagation and then verify — see below. Changes are usually live within minutes (DNS propagation).

• Multiple SPF records. Only one is allowed — publishing two makes the result invalid. Merge them.
• Using +all. This authorizes any server and is worse than having no record at all.
• Exceeding the 10-lookup limit. SPF allows at most ten DNS lookups; chains of include: from many SaaS tools can blow past it, causing a permerror. Consolidate or flatten when you get close.

After publishing, confirm the record resolves and parses correctly. ZoneWatcher's SPF monitor continuously checks for the right qualifier, a single record, and that you stay under the 10-lookup limit — flagging the slow drift that breaks SPF as you add tools over time.

SPF is one of three records that work together. Pair it with DKIM and DMARC, and see SPF vs DKIM vs DMARC for how they fit.