Authorize senders with SPF
You can set up an SPF record to prevent spammers from using your domain to send unauthorized emails, also called spoofing. Some mail recipients require SPF. If you don’t add an SPF record for your domain, your messages can be marked as spam or even bounce back.
An SPF record lists the mail servers that are permitted to send email on behalf of your domain. If a message is sent through an unauthorized mail server, it’s reported and can be marked as spam.
Note: For best practices, use SPF and DomainKeys Identified Mail (DKIM). SPF validates who’s relaying the email, while DKIM adds a digital signature to verify the email’s content.
To set up your SPF record with G Suite, you add a TXT record with your domain host. Adding the record doesn’t affect your mailflow.
- Sign in to your domain account at your domain host (not your Google Admin console).
Help me identify my domain host.
- Locate the page for updating your domain’s DNS records.
This page might be called something like DNS management, Name server management, or Advanced settings.
- Find your TXT records to see if you have an existing SPF record. The record will start with v=spf1. If you do, review steps 4 and 5. If you don’t, go to step 5.
- If your domain already has an SPF record, delete it and go to step 5 or follow the instructions below to update an existing SPF record with multiple mail servers.
Multiple SPF records are not recommended and will cause authorization problems.
- Create a new TXT record with the following values:
- In the Name/Host/Alias field, enter @ or leave it blank. Your other DNS records might indicate which one you need.
- In the Time to Live (TTL) field, enter 3600 or leave the default.
- In the Value/Answer/Destination field, enter v=spf1 include:_spf.google.com ~all
- Save the record.
Your new SPF record can take up to 48 hours to go into effect, but it usually happens more quickly. For help adding TXT records, contact your domain host.
For details about G Suite mail server addresses, see Google IP address ranges.
Check your SPF record
Use the G Suite Toolbox to check your SPF record.
- Go to https://toolbox.googleapps.com/apps/checkmx/.
- Enter your domain name.
- Click Run Checks!
- When the test finishes, click Effective SPF Address Ranges.
- Check the SPF results. The results should include:
- _netblocks.google.com followed by several IP addresses
- _netblocks2.google.com followed by several IP addresses
- _netblocks3.google.com followed by several IP addresses
Multiple SPF records are not recommended and will cause authorization problems. Instead, update the existing record.
You can update your domain’s existing SPF record to authorize a new or additional mail server. For example, if you set up an outbound email gateway, your SPF record will include the G Suite server address and the outbound gateway SMTP server address.
To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument using the format ip4:address or ip6:address. For example:
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
To add a mail server’s domain, use additional include statements for each domain. For example:
v=spf1 include:serverdomain.com include:_spf.google.com ~all
For more details on the SPF format, see Sender Policy Framework.
Managing messages that fail SPF checks
You can decide how a message that fails SPF or DKIM checks is handled by creating a DMARC record. With DMARC, you specify a policy to take no action, quarantine the message, or reject the message.
For help creating or checking an SPF record, contact your domain host.