Authorize email senders with SPF
Sender Policy Framework (SPF) helps prevent spammers from sending unauthorized emails from your domain. This type of spamming is called spoofing. SPF is an email security method that helps prevent spoofing from your domain. Spoofing is a common unauthorized use of email so some email servers require SPF. If you don't set up SPF for your domain, messages sent from your domain might bounce or might be marked as spam.
Use SPF with DKIM and DMARC
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
- SPF specifies which domains can send messages.
- DKIM verifies that message content is authentic and not changed.
- DMARC specifies how your domain handles suspicious incoming emails.
To turn on SPF for your domain, add an SPF TXT record to your domain host. Adding the TXT record doesn’t affect your mail flow.
About TXT records
Your domain host maintains text settings called DNS records that direct web traffic to your domain. Learn more about working with TXT records. If you still need help adding TXT records, contact your domain host.
An SPF TXT record lists mail servers allowed to send email from your domain. Messages sent from servers that aren't in the record might be marked as spam.
SPF and multiple mail servers
We don't recommend multiple SPF records for multiple mail servers. Using multiple SPF records can cause authorization problems. Use the same SPF record for all your mail servers.
Add an SPF TXT record
To turn on SPF, update your domain SPF TXT record:
- Sign in to your domain account at your domain host (not your Google Admin console).
Help me identify my domain host.
- Locate the page for updating your domain’s DNS records. This page might be called something like: DNS management, name server management, or advanced settings.
- Find your TXT records, and check if your domain has an existing SPF record. The SPF record starts with v=spf1.
If you have an SPF record, go to step 4. If you don’t, go to step 5.
- If your domain already has an SPF record, remove it.
- Create a TXT record with these values:
- Name/Host/Alias: Enter @ or leave blank. Other DNS records for your domain might indicate the correct entry.
- Time to Live (TTL): Enter 3600 or leave the default.
Value/Answer/Destination: Enter v=spf1 include:_spf.google.com ~all
Save the record.
Your new SPF record takes effect within 48 hours, but it can be sooner.
Verify your SPF record
To verify your SPF record, use the G Suite toolbox:
- Go to https://toolbox.googleapps.com/apps/checkmx/.
- Enter your domain name.
- Click Run Checks!
- When the test finishes, click Effective SPF Address Ranges.
- Check the SPF results. The results should include:
- _netblocks.google.com followed by several IP addresses
- _netblocks2.google.com followed by several IP addresses
- _netblocks3.google.com followed by several IP addresses
A domain cannot have more than one one SPF record. Instead, update an existing SPF record include all your mail servers.
For example, if you set up an outbound email gateway, your SPF record includes the Gmail server address and the outbound gateway SMTP server address.
To add a mail server to an existing SPF record, enter the server's IP address before the ~
all argument. Use the format
address, as shown in this example:
v=spf1 ip4:172.16.254.1 include:_spf.google.com ~all
To add a mail server’s domain, use an
include statement for each domain. For example:
v=spf1 include:serverdomain.com include:_spf.google.com ~all
Maximum DNS lookups and failed SPF checks
SPF supports up to ten DNS lookups. Nested lookups count toward this maximum. If your SPF record has more than ten lookups, the mechanisms after ten are treated as invalid and the SPF check fails.
Learn more about DNS lookup limits in RFC 7208.
These SPF record mechanisms and modifiers count toward the lookup maximum:
These mechanisms and modifiers do not count toward the maximum:
Here are some methods for reducing the number of lookups in your SPF record:
- Avoid unnecessary include statements.
- When possible, substitute the ip4 or ip6 mechanism for include.
- Avoid using the ptr mechanism because it creates a large number of DNS lookups.
- Remove duplicate mechanisms or mechanisms that resolve to the same domain.
- Reference only domains that are actively sending.
- Remove any include statements to SPF records of partners that no longer send mail from your domain.
You can check the lookup limit for your SPF record using third-party tools available for this purpose.
For information about what to include in SPF records, visit Google server IP address ranges for outbound SMTP.