To turn on Sender Policy Framework (SPF) for your domain, add a Domain Name System (DNS) TXT record at your domain provider.
Keep in mind:
- The field names in these steps might be different for your domain provider. DNS TXT record field names vary for domain providers.
- After adding an SPF record, it can take up to 48 hours for SPF authentication to start working.
Sign in to the management console for your domain host and locate the page where you update DNS TXT records for your domain. For help on how to find this page, check the documentation for your domain provider.
Enter these values on the page or form for your domain provider’s TXT records:
|Field name||Value to enter|
Note: If you're adding a SPF record for a subdomain, enter the subdomain instead of @. Read Apply an SPF record to subdomain with the Host setting for more information.
If you only send email from Google Workspace, enter this SPF record:
If you use additional email senders, enter the SPF record you created in Basic setup or in Advanced setup.
|TTL||1 hour or 3600 seconds|
Turning off SPF
We don't recommend turning off SPF for your domain. Without SPF, hackers and other malicious users can impersonate your domain, making messages appear to come from your organization or domain. Messages from your domain are also more likely to be sent to spam. If you must turn off SPF, follow the the steps in Turn off SPF.
When you add your SPF record to your domain, the SPF record isn't automatically applied to subdomains. Check if your domain provider lets you add SPF records directly to subdomains. If you're not sure, check the documentation for your domain provider.
Add an SPF record directly to subdomain
If your domain provider lets you add SPF records directly to subdomains, locate the subdomain in your domain provider management console. Then, add an SPF record following the steps in Add your SPF record.
For example, if your domain is solarmora.com, you might want to add an SPF record for the subdomain mail.solarmora.com. Locate mail.solarmora.com in your domain provider console and add the SPF record.
If your domain provider doesn’t have a way to add an SPF record directly to a subdomain, add another SPF record to your primary domain. Change the Host value to apply the SPF record to the subdomain.
For example, if your domain is solarmora.com, you might want to add an SPF record for the subdomain mail.solarmora.com. Enter mail in the Host field, instead of @.
Update your SPF record for added senders
Every time you start using a new mail server or third-party sender, you should:
- Update your SPF record, following the steps in Define your SPF record.
- Add the updated SPF record at your domain provider, following the steps in Add your SPF record.
If you don’t update your SPF record, messages sent by the new senders might be marked as spam.
Important: Your domain should have one SPF record only. The exception is when you Apply an SPF record to a subdomain with the Host setting. Your domain provider might let you add more than one SPF record to the same domain. However, SPF won’t authenticate messages correctly if there are multiple SPF records for the same domain.
When you add the SPF record at your domain, you’re done setting up SPF for your domain. It can take up to 48 hours for SPF authentication to start working.
If you’re having issues verifying SPF is working, or if messages from your domain are still going to spam, follow the recommendations in Troubleshoot SPF issues.
We recommend you also set up DKIM and DMARC authentication for your organization.