Who this article is for
An SPF record defines the mail servers and domains that are allowed to send email on behalf of your domain. It also tells receiving servers what to do with messages after they’re checked. Receiving servers check your SPF record to verify that incoming messages that appear to be from your organization are sent from servers authorized by you. Domains can have one SPF record. However, the SPF record for a domain can specify multiple servers and third parties that are allowed to send email for the domain.
Set up SPF by adding a DNS TXT record at your domain provider.
SPF record format
An SPF record is a line of plain text that includes a list of tags and values. The tags are called mechanisms. The values are typically IP addresses and domain names.
An SPF record is added to your domain provider in the form of a DNS TXT record. Learn more About DNS TXT records.
SPF records can have up to 255 characters. The TXT record file size should be no larger than 512 bytes.
SPF record mechanisms
Use the mechanisms in this table to create your SPF record. Receiving mail servers check messages against mechanisms in the order they are listed in the SPF record.
Keep in mind:
- You can use optional SPF record qualifiers with mechanisms.
- Your TXT record for SPF shouldn’t include more than 10 references to other domains or servers. These references are called lookups. Learn more in Check the DNS lookups in your SPF record.
Mechanism | Description and allowed values |
---|---|
v |
SPF version. This tag is required, and must be the first tag in the record. This mechanism must be:
|
ip4 |
Authorize mail servers by IPv4 address or address range. The value must be an IPv4 address or range in standard format, for example:
or
|
ip6 |
Authorize mail servers by IPv6 address or address range. The value must be an IPv6 address or range in standard format, for example:
or
|
a |
Authorize mail servers by domain name, for example:
|
mx |
Authorize one or more mail servers by domain MX record, for example:
If this mechanism isn't in your SPF record, the default value is the MX records of the domain where the SPF record is used. |
include |
Authorize third-party email senders by domain, for example:
|
all |
Specifies that all incoming messages match. We recommend you always include this mechanism in your SPF record. This must be the last mechanism in the SPF record. Any mechanism that comes after the Should I use ~all or -all?When an SPF record includes When an SPF record includes Tip: To prevent spoofing of domains that don’t send email, use this as the SPF record for the domain: |
SPF record qualifiers
A qualifier is an optional prefix you can add to any mechanism in your SPF record. Qualifiers tell the receiving mail server whether to consider a message authenticated when there's a match with a mechanism value, for example:
v=spf1 include:_spf.google.com -all
all
mechanism has a fail qualifier ( - ), so messages from any other senders fail the SPF check and may be rejected by the receiving server.Mechanisms are checked in the order they occur in the SPF record. If a mechanism doesn’t have a qualifier and there’s a match, the default action is pass authentication. When there's no mechanism match, the action default is neutral: the message doesn't pass or fail authentication.
Use these optional qualifiers to tell receiving mail servers how to handle messages that match mechanisms in the SPF record.
Next steps
After you’ve created the SPF record for your domain, add your SPF record at your domain provider.