Help prevent email spoofing with SPF records

Protect against forged emails that appear to come from your domain

Spammers might send emails that appear to come from your domain. This is called spoofing. You can add a Sender Policy Framework (SPF) record to your domain host to help your recipients know where emails from your domain should be coming from and that they aren't spoofed.

If you bought your domain from a Google partner (GoDaddy.com, eNom.com, and DomainDiscount24.com) when you signed up for G Suite, you might not need to do this. For details, see Settings managed by your domain host.

Add an SPF TXT record to your domain host

Your domain host keeps text settings (called DNS records) that direct web traffic to your domain. An SPF TXT record lists the mail servers that can send email from your domain. If a message is sent from a server that's not in the record, the recipient's server might consider it spam.

Note: A domain can only have one SPF record, but your record can list multiple servers. For details, see Add multiple servers to an SPF record.

  1. Sign in to your domain account at your domain host (not your Google Admin console).
  2. Go to the page for updating your domain's DNS records.
    This page might be called something like: DNS management, name server management, or advanced settings.
  3. Find your TXT records and check if your domain has an existing SPF record.
    The SPF record starts with "v=spf1".
  4. If your domain already has an SPF record, remove it. If not, skip to step 5.
  5. Create a TXT record with these values:
    • Name/Host/Alias—Enter @ or leave blank.
      Other DNS records for your domain might indicate the correct entry.
    • Time to Live (TTL)—Enter 3600 or leave the default.
    • Value/Answer/Destination—Enter v=spf1 include:_spf.google.com ~all.
  6. Save the record.

Your new SPF record takes effect within 48 hours.

Manage your SPF record

Open all  |  Close all

Verify your SPF record
Verify your SPF record using the Check MX app, which is part of G Suite Toolbox:
  1. Go to G Suite Toolbox.
  2. Enter your domain name.
  3. Click Run Checks!.
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results.
    They should include:
    • _spf.google.com
    • _netblocks.google.com followed by several IP addresses
    • _netblocks2.google.com followed by several IP addresses
    • _netblocks3.google.com followed by several IP addresses
Add multiple servers to an SPF record
Your domain can only have one SPF record. However, you can update your SPF record to include all your mail servers. For example, if you set up an outbound email gateway, your SPF record includes the Gmail server address and the outbound gateway SMTP server address.
To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument. Use the format ip4:address or ip6:address as shown in this example:
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
To add a mail server's domain, use an include statement for each domain. For example:
v=spf1 include:serverdomain.com include:_spf.google.com ~all

Related topics

Manage mechanisms and qualifiers
Mechanisms in an SPF record identify the servers that are permitted to send mail on behalf of the domain. Each mechanism is evaluated left to right in the SPF record.
Here's an example of an SPF record:
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
These mechanisms identify the IP addresses that can send email from a domain:
  • a
  • mx
  • ip4
  • ip6
  • include
  • all

If a server does not match one of the mechanisms in the SPF record, the all mechanism decides if the email should pass the SPF check. 

To affect how email passes your SPF check, in your SPF record, you can add qualifiers to the mechanisms.
Qualifier Description
Pass (+) Email from a server that matches a mechanism with the + qualifier (or no qualifier) will pass the SPF check. The recipient should accept the email.
Fail (-) Email from a server that matches a mechanism with the - qualifier will fail the SPF check. The recipient should reject the email.
Softfail (~) Email from a server that matches a mechanism with the ~ qualifier will pass the SPF check, but treated as suspicious.
Neutral (?) Mechanisms with the ? qualifier will not affect whether email passes the SPF check.
DNS lookup limits and SPF checks
SPF supports up to 10 DNS lookups. Nested lookups count toward this maximum. After your SPF record has more than 10 lookups, the mechanisms are invalid and the SPF check doesn't pass.
You can check the number of lookups for your SPF record using the Check MX app.

SPF record mechanisms and modifiers

The mechanisms and modifiers you use in your SPF record can keep it from reaching the maximum of 10 DNS lookups.
Count toward the lookup maximum Do not count toward the lookup maximum
  • a
  • exists
  • include
  • mx
  • ptr
  • require
  • all
  • exp
  • ip4
  • ip6

 

To reduce the number of lookups in your SPF record:

  • Avoid unnecessary include statements.
  • When possible, use the ip4 or ip6 mechanism instead of include.
  • Avoid using the ptr mechanism. It generates many DNS lookups.
  • Remove duplicate mechanisms or mechanisms that resolve to the same domain.
  • Only reference domains that are actively sending.
  • Remove any include statements to SPF records of partners that no longer send mail from your domain.

Related topics

Use SPF with DKIM and DMARC
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
  • SPF specifies the servers that can send email for a domain.
  • DKIM verifies that message content is authentic and not changed.
  • DMARC specifies how your domain handles suspicious incoming emails.

Related topics

 Related topics

Was this helpful?
How can we improve it?