Authorize email senders with SPF

Help prevent spoofing from your domain

Set up SPF to prevent spammers from sending unauthorized emails from your domain. This type of spamming is called spoofing. Sender Policy Framework (SPF) is an email security method to prevent spoofing from your domain. 

Spoofing is a common unauthorized use of email, so some email servers require SPF. If you don't set up SPF for your domain, messages could bounce or could be marked as spam.

Use SPF with DKIM and DMARC

Along with SPF,  we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC). SPF validates the domains that can send messages. DKIM verifies that message content is authentic and not changed. DMARC specifies how your domain handles suspicious emails that it gets.

Create an SPF record for your domain

An SPF record is a TXT record that lists the mail servers that are allowed to send email from your domain. Messages sent from a server that isn't the SPF record might be marked as spam. 

Set up the SPF record for Gmail by adding a TXT record to your domain host. Adding the TXT record doesn’t affect your mail flow.

If you need help adding TXT records, contact your domain host.

  1. Sign in to your domain account at your domain host (not your Google Admin console).

    Help me identify my domain host.

  2. Locate the page for updating your domain’s DNS records. This page might be called something like: DNS management, name server management, or advanced settings.
  3. Find your TXT records and see if you have an existing SPF record. The SPF record starts with v=spf1.

    If you have an SPF record, go to step 4. If you don’t, go to step 5.

  4. If your domain already has an SPF record, remove it.

    You can also update an existing SPF record to use with multiple email servers. Using more than one SPF record isn't recommended because it causes authorization problems. We recommend using the same SPF record for all your email servers.

  5. Create a TXT record with the following values:
    • Name/Host/Alias: Enter @ or leave it blank. Your other DNS records might indicate which entry is correct.
    • Time to Live (TTL): Enter 3600 or leave the default.
    • Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all
  6. Save the record.

Your new SPF record takes effect within 48 hours, but it can be sooner.

Verify your SPF record

Use the G Suite Toolbox to verify your SPF record.

  1. Go to https://toolbox.googleapps.com/apps/checkmx/.
  2. Enter your domain name.
  3. Click Run Checks!
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. The results should include:
    • _spf.google.com
    • _netblocks.google.com followed by several IP addresses
    • _netblocks2.google.com followed by several IP addresses
    • _netblocks3.google.com followed by several IP addresses

Update an SPF record for multiple servers

Using more than one SPF record can cause authorization problems. Instead, update an existing SPF record to give permissions to other servers.

For example, if you set up an outbound email gateway, your SPF record includes the Gmail server address and the outbound gateway SMTP server address.

To add a mail server to an existing SPF record, enter the server's IP address before the ~all argument. Use the format ip4:address or ip6:addressas shown in this example:

v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all

To add a mail server’s domain, use an include statement for each domain. For example:

v=spf1 include:serverdomain.com include:_spf.google.com ~all

Related articles

See these articles for more information about creating SPF records:

Was this article helpful?
How can we improve it?