Help prevent email spoofing with SPF records

Protect against forged emails that appear to come from your domain

Spammers may send emails that appear to come from your domain, by forging the From field; this is called spoofing. By adding a Sender Policy Framework (SPF) record to your domain host, your recipients can identify which mail servers can send emails from your domain. The SPF record tells the mail server of the person you’re sending email to that your email comes from your domain, and is not spam.

You add SPFs record at your domain. For example, when you send an email from Gmail to someone, their server will check that the SPF record at your domain (yourdomain.com) matches the message’s server. If it doesn’t, it may be rejected as spam.

Note: If you bought your domain from a Google partner (GoDaddy.com, eNom.com, and DomainDiscount24.com) when you signed up for G Suite, then you may not need to do this.

Use SPF with DKIM and DMARC

Along with SPF,  we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):

  • SPF specifies which domains can send messages.
  • DKIM verifies that message content is authentic and not changed.
  • DMARC specifies how your domain handles suspicious incoming emails.

Turn on SPF for your domain

To turn on SPF for your domain, add an SPF TXT record to your domain host. An SPF TXT record lists the mail servers allowed to send email from your domain. Messages sent from servers that aren't in the record might be marked as spam. 

Adding the TXT record doesn’t affect your mail flow.

About TXT records

Your domain host maintains text settings called DNS TXT records that direct web traffic to your domain. Learn more about working with TXT records.

Add an SPF TXT record

Important: If you're using SPF for more than one mail server, you must use the same SPF record for all the servers. Learn how at Use an SPF record with multiple servers.

To turn on SPF, update your domain SPF TXT record:

  1. Sign in to your domain account at your domain host (not your Google Admin console).

    Help me identify my domain host.

  2. Locate the page for updating your domain’s DNS records. This page might be called something like: DNS management, name server management, or advanced settings.
  3. Find your TXT records, and check if your domain has an existing SPF record. The SPF record starts with v=spf1.
  4. If your domain already has an SPF record, remove it. If not, skip to Step 5.
  5. Create a TXT record with these values:
    • Name/Host/Alias: Enter @ or leave blank. Other DNS records for your domain might indicate the correct entry.
    • Time to Live (TTL): Enter 3600 or leave the default.

    • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all

  6. Save the record.

Your new SPF record takes effect within 48 hours, but it can be sooner.

Use an SPF record with multiple servers

A domain can have only one SPF record. Don't create an SPF record for each mail server. Instead, update one SPF record to include all your mail servers.

For example, if you set up an outbound email gateway, your SPF record includes the Gmail server address and the outbound gateway SMTP server address.

To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument. Use the format ip4:address or ip6:addressas shown in this example:

v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all

To add a mail server’s domain, use an include statement for each domain. For example:

v=spf1 include:serverdomain.com include:_spf.google.com ~all

Verify your SPF record

Verify your SPF record using the Check MX app:

  1. Go to https://toolbox.googleapps.com/apps/checkmx/.
  2. Enter your domain name.
  3. Click Run Checks!
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. The results should include:
    • _spf.google.com
    • _netblocks.google.com followed by several IP addresses
    • _netblocks2.google.com followed by several IP addresses
    • _netblocks3.google.com followed by several IP addresses

SPF checks and max DNS lookups 

SPF supports up to ten DNS lookups. Nested lookups count toward this maximum of ten. If your SPF record has more than ten lookups, the mechanisms after ten are treated as invalid and the SPF check won't pass. 

Learn more about DNS lookup limits in RFC 7208.

These SPF record mechanisms and modifiers count toward the lookup maximum:

  • a
  • exists
  • include
  • mx
  • ptr
  • require

These mechanisms and modifiers do not count toward the lookup maximum:

  • exp
  • ip4
  • ip6

Here are some ways you can reduce the number of lookups in your SPF record:

  • Avoid unnecessary include statements.
  • When possible, use the ip4 or ip6 mechanism in place of include.
  • Avoid using the ptr mechanism because it generates many DNS lookups.
  • Remove duplicate mechanisms or mechanisms that resolve to the same domain.
  • Reference only domains that are actively sending.
  • Remove any include statements to SPF records of partners that no longer send mail from your domain.

You can check the number of lookups for your SPF record using the Check MX app.

Related articles

For information about what to include in SPF records, visit Google server IP address ranges for outbound SMTP.

Was this helpful?
How can we improve it?