Sender Policy Framework (SPF) is an email authentication method that specifies the mail servers authorized to send email for your domain. SPF helps protect your domain from spoofing, and helps ensure that your messages are delivered correctly. Mail servers that get mail from your domain use SPF to verify that messages that appear to come from your domain actually are from your domain.
- SPF help prevents spoofing—Spammers can forge your domain or organization to send fake messages that appear to come from your organization. This is called spoofing. Spoofed messages can be used for malicious purposes, for example to communicate false information, to send out harmful software, or to trick people into giving out sensitive information. SPF helps receiving servers verify that mail sent from your domain is actually from your organization, and is sent by a mail server authorized by you.
- SPF helps deliver messages to recipients’ inboxes—SPF helps prevent messages from your domain from being delivered to spam. If your domain doesn’t use SPF, receiving mail servers can’t verify that messages appearing to be from your domain actually are from you. Receiving servers might send valid messages to recipients' spam folders, or might reject valid messages.
Note: If you bought your domain from a Google partner when you signed up for G Suite, you might not need to set up SPF records. Check if SPF is one of the Settings managed by your domain host.
Best practices for email authentication
We recommend you always set up these email authentication methods for your domain:
- SPF helps servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
- DKIM adds a digital signature to every message. This lets receiving servers verify that messages aren't forged, and weren't changed during transit.
- DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.
Before you begin
Read the information in this section before enabling SPF for your organization.
You can search for your domain host online. The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization that collects domain information. Use the ICANN Lookup tool to find your domain host.
- Go to lookup.icann.org.
- In the search field, enter your domain name and click Lookup.
- In the results page, scroll down to Registrar Information. The registrar is usually your domain host.
Domain resellers: Some domains are hosted by resellers through a separate registrar. If you can’t sign in with your listed registrar or the registrar field is blank, your domain host may be a reseller.
- In the ICANN Lookup results page, scroll down to the Raw Registry RDAP Response.
- Find the Reseller entry.
- Go to the reseller’s website.
- Sign in with the name and password you used when you purchased (or transferred) your domain.
If you forgot your password, contact the reseller’s support team.
If there's no reseller listed, contact the listed registrar’s support team for help.
Third-party email providers
Valid messages sent by third-party email providers for your domain might not pass SPF checks. If this happens, the receiving server might send messages from third-party providers to spam.
To help ensure messages sent by third-party providers pass SPF:
- Verify your provider’s SPF records.
- Route messages through your domain or network by configuring SMTP relay.
To enable SPF for your domain, update the SPF DNS TXT record in your domain provider's management console. TXT records are a type of Domain Name System (DNS) record that have text information for servers and other sources outside of your domain. You add these records to your domain settings. Learn more About TXT records.
For detailed steps, go to Enable SPF for your domain.
(Optional) Check your current SPF record
- Go to the G Suite Toolbox.
- Enter your domain name.
- Click Run Checks!
- When the test finishes, click Effective SPF Address Ranges.
- Check the SPF results. They should include:
_netblocks.google.comfollowed by several IP addresses
_netblocks2.google.comfollowed by several IP addresses
_netblocks3.google.comfollowed by several IP addresses
An SPF record defines the mail servers that are allowed to send mail for your domain. A domain can have only one SPF record. However, an SPF record can specify multiple servers and domains that are allowed to send mail for the domain.
If all email from your organization is sent from G Suite, use this SPF record:
v=spf1 include:_spf.google.com ~all
If one or more of these is true, create your own, custom SPF record:
- You send mail from other servers, in addition to G Suite.
- You use a third-party mail provider.
- Your website uses a service that generates automatic emails, for example a "Contact us" form.
IP addresses of all your mail servers
Gather the IP addresses for all servers that send mail for your organization. These servers might include:
- Web servers
- On-premise mail servers, for example Microsoft Exchange
- Mail servers used by your service provider
- Any third-party provider or service that sends email for your domain
All domains controlled by your organization
Identify all the domains controlled by your organization, even domains that don’t send email. Spammers might try to spoof domains that don't send mail, especially after you protect sending domains with SPF.
An SPF record is in the form of a line of plain text that is a list of tags and values. The tags are called mechanisms. Other, optional tags called qualifiers define the action to take when there's a mechanism match.
Here are some example SPF records for common configurations. Replace these example IP addresses and domains with your own addresses and domain names.
Allow any IP address between 192.168.0.1 and 192.168.255.255:
v=spf1 ip4:192.168.0.1/16 -all
If you have a domain that doesn't send mail, use this SPF record to help prevent the domain from being spoofed:
The tags used to create an SPF record are called mechanisms.
Important: An SPF record can have up to 10 lookups. These mechanisms in an SPF record generate a lookup: a, mx, and include. If your SPF record has more than 10 lookups, messages from your domain won’t pass the SPF authentication check by the receiving server. These messages might be sent to spam. Read detailed information in Check the DNS lookups for your SPF record.
Here's a list of mechanisms to use in your SPF record. Mechanisms are checked in the order they occur in the SPF record. If there's a mechanism match and no qualifier is used, the default action is pass SPF.
Note: The addresses and domains in this table are examples. Replace the example values with IP addresses and domains for your own mail servers and organizations.
|Mechanism||Description and allowed values|
|v||SPF version. Must be spf1. This tag is required, and must be the first tag in the record.|
|ip4||Specifies a mail server or servers by IPv4 address or address range. The value must be an IPv4 address in standard format, for example:
|ip6||Specifies a mail server or servers by IPv6 address or address range. The value must be an IPv6 address in standard format, for example:
|a||Specifies a mail server by domain name, for example:
Specifies one or more mail servers by referring to a domain MX record, for example:
Specifying a domain with this mechanism is optional. If you don’t specify a domain, the default value is the MX records of the domain where the SPF record is used.
Specifies mail servers of a domain other than your own domain, for example:
Use this mechanism to allow third-party mail senders.
|all||If used, this must be the last tag in the record. SPF checks ignore any mechanism after all. We recommend using this mechanism with a soft fail qualifier: ~all|
Optional tags called qualifiers define the action to take when there's a match to a mechanism in the SPF record.
Mechanisms are checked in the order they occur in the SPF record. If you don't use qualifiers, the default action is pass SPF. The action defaults to Neutral when there's no mechanism match.
Here's a list of qualifiers that can be used in an SPF record. A qualifier is an optional prefix you can add to any mechanism in the record. Qualifiers specify the action to take when there's a match with a mechanism value.
We recommend using ~all in your SPF record.
|+||Pass. The server with matching IP address or domain is allowed to send for the domain. Pass is the default when no qualifier is used.|
|-||Fail. The server with matching IP address or domain is not allowed to send for the domain. The SPF record doesn’t include the sending server IP address or domain.|
|~||Soft fail. The server with matching IP or domain address might be allowed to send for the domain. The receiving server will usually accept messages and mark them as suspicious.|
|?||Neutral. The SPF record doesn’t explicitly state that the IP address or domain is allowed to send for the domain. SPF records with neutral results often include ?all.|
Enable SPF at your domain provider.
- The field names in Step 4 below might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.
- If your organization or domain sends all email from G Suite, use the SPF record value shown in Step 4 below. If you created a different SPF record, enter that value instead.
To enable SPF, update the SPF DNS TXT record at your domain provider.
- Get the text file or line that defines your SPF record.
- Sign in to the management console for your domain host. If you’re not sure who your domain host is, follow the steps in Find your domain host.
- Locate the page where you update DNS TXT records.
- Add a new SPF DNS TXT record for your G Suite mail servers:
Name/Host/Alias Time to Live (TTL) DNS TXT Record Type Priority Value/Answer/Destination @
(or leave empty)
3600 SPF 1
v=spf1 include:_spf.google.com ~all
- Save your changes. It can take up to 48 hours for SPF to begin protecting your domain from spoofing and ensuring mail delivery.
- (Optional) Repeat these steps for every domain you manage for your organization.
Add a new mail server or domain to your SPF records
Update your SPF record at your domain provider every time you:
- Add new mail servers to your organization
- Start using new third-party senders
If you don’t update your SPF record with new server or sender information, messages sent from new servers or senders might be sent to spam.
First, update your SPF record with new servers or domains by following the instructions in Step 1: Create your SPF record. Then, update your SPF record at your domain provider by following the instructions in Step 2. Enable SPF for your domain.
Troubleshooting SPF records
If messages sent from your domain are still sent to spam, even after enabling SPF, try these troubleshooting recommendations.
Verify messages pass SPF
An SPF record is limited to 10 lookups, so it can’t include more than 10 references to other domains. If your SPF record has more than 10 lookups, messages from your domain won’t pass the receiving server's SPF check. The messages might be sent to spam.
Every instance of these tags in the SPF record generates a lookup: a, mx, include, ptr. Nested lookups count toward the limit of 10. So, if a domain referenced in an include tag has domain references in their SPF record, those domains are counted toward your limit.
If messages are still sent to spam, check the number of lookups for your SPF record with the Check MX feature in the G Suite Toolbox.
To reduce the number of lookups in your SPF record:
- Don’t use include tags unless necessary.
- When possible, use the ip4 or ip6 tag, instead of include.
- Remove duplicate tags or tags that reference the same domain.
Reference only domains that are actively sending for your organization. Remove any include statements for partners that no longer send mail for your domain.
Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.