Authorize email senders with SPF

Help prevent spoofing from your domain

Sender Policy Framework (SPF) helps prevent spammers from sending unauthorized emails from your domain. This type of spamming is called spoofing. SPF is an email security method that helps prevent spoofing from your domain. Spoofing is a common unauthorized use of email so some email servers require SPF. If you don't set up SPF for your domain, messages sent from your domain might bounce or might be marked as spam.

Use SPF with DKIM and DMARC

Along with SPF,  we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):

  • SPF specifies which domains can send messages.
  • DKIM verifies that message content is authentic and not changed.
  • DMARC specifies how your domain handles suspicious incoming emails.

Turn on SPF for your domain

To turn on SPF for your domain, add an SPF TXT record to your domain host. Adding the TXT record doesn’t affect your mail flow.

About TXT records

Your domain host maintains text settings called DNS records that direct web traffic to your domain. Learn more about working with TXT records. If you still need help with TXT records, contact your domain host.

An SPF TXT record lists mail servers allowed to send email from your domain. Messages sent from servers that aren't in the record might be marked as spam. 

SPF and multiple mail servers

We don't recommend multiple SPF records for multiple mail servers. Using multiple SPF records can cause authorization problems. Use the same SPF record for all your mail servers. 

Learn how to update an existing SPF record to use with multiple mail servers.

Add an SPF TXT record

To turn on SPF, update your domain SPF TXT record:

  1. Sign in to your domain account at your domain host (not your Google Admin console).

    Help me identify my domain host.

  2. Locate the page for updating your domain’s DNS records. This page might be called something like: DNS management, name server management, or advanced settings.
  3. Find your TXT records, and check if your domain has an existing SPF record. The SPF record starts with v=spf1.
  4. If your domain already has an SPF record, remove it. If not, skip to Step 5.
  5. Create a TXT record with these values:
    • Name/Host/Alias: Enter @ or leave blank. Other DNS records for your domain might indicate the correct entry.
    • Time to Live (TTL): Enter 3600 or leave the default.
    • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all

  6. Save the record.

Your new SPF record takes effect within 48 hours, but it can be sooner.

Verify your SPF record

Verify your SPF record using the Check MX app, which is part of G Suite Toolbox:

  1. Go to https://toolbox.googleapps.com/apps/checkmx/.
  2. Enter your domain name.
  3. Click Run Checks!
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. The results should include:
    • _spf.google.com
    • _netblocks.google.com followed by several IP addresses
    • _netblocks2.google.com followed by several IP addresses
    • _netblocks3.google.com followed by several IP addresses

Apply an SPF record to multiple servers

A domain can have only one SPF record. Don't create an SPF record for each mail server. Instead, update one SPF record to include all your mail servers.

For example, if you set up an outbound email gateway, your SPF record includes the Gmail server address and the outbound gateway SMTP server address.

To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument. Use the format ip4:address or ip6:addressas shown in this example:

v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all

To add a mail server’s domain, use an include statement for each domain. For example:

v=spf1 include:serverdomain.com include:_spf.google.com ~all

Max DNS lookups and SPF checks

SPF supports up to ten DNS lookups. Nested lookups count toward this maximum. If your SPF record has more than ten lookups, the mechanisms after ten are treated as invalid and the SPF check doesn't pass. 

Learn more about DNS lookup limits in RFC 7208.

These SPF record mechanisms and modifiers count toward the lookup maximum:

  • a
  • exists
  • include
  • mx
  • ptr
  • require

These mechanisms and modifiers do not count toward the lookup maximum:

  • exp
  • ip4
  • ip6

Here are some ways you can reduce the number of lookups in your SPF record:

  • Avoid unnecessary include statements.
  • When possible, use the ip4 or ip6 mechanism in place of include.
  • Avoid using the ptr mechanism because it generates many DNS lookups.
  • Remove duplicate mechanisms or mechanisms that resolve to the same domain.
  • Reference only domains that are actively sending.
  • Remove any include statements to SPF records of partners that no longer send mail from your domain.

You can check the number of lookups for your SPF record using the Check MX app, which is part of G Suite Toolbox.

Related articles

For information about what to include in SPF records, visit Google server IP address ranges for outbound SMTP.

Was this helpful?
How can we improve it?