Ensure mail delivery & prevent spoofing (SPF)

Protect against forged emails & make sure messages aren't marked as spam

Using Sender Policy Framework (SPF), you can protect your domain from spoofing and help ensure that your messages are delivered correctly. You use SPF to authenticate email and specify the mail servers authorized to send email for your domain. Mail servers use SPF to verify that messages that appear to come from your domain actually are from your domain.

Open all  |  Close all

Reasons to use SPF

Note: If you bought your domain from a Google partner when you signed up for Google Workspace, you might not need to set up SPF records. Check to verify that SPF is one of the Settings managed by your domain host.

Prevent spoofing
Spammers can forge your domain or organization to send fake messages that appear to come from your organization. This is called spoofing. Spoofed messages can be used for malicious purposes, for example to communicate false information, send out harmful software, or trick people into giving out sensitive information. SPF helps receiving servers verify that mail sent from your domain is actually from your organization and sent by a mail server you authorized.
Help deliver messages to recipients’ inboxes
SPF helps prevent messages from your domain from being delivered to spam or junk mail folders. If your domain doesn’t use SPF, receiving mail servers can’t verify that messages appearing to be from your domain actually are from you. Receiving servers might send valid messages to recipients' spam folders or reject valid messages.

Before you begin

Enable SPF in the management console for your domain provider, not in your Google Admin console. If you're not sure who your domain provider is, follow these steps.

Step 1: Find your domain provider

You can search for your domain host online. The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization that collects domain information. Use the ICANN Lookup tool to find your domain host.

  1. Go to lookup.icann.org.
  2. In the search field, enter your domain name and click Lookup.
  3. In the results page, scroll down to Registrar Information. The registrar is usually your domain host.

Domain resellers: Some domains are hosted by resellers through a separate registrar. If you can’t sign in with your listed registrar or the registrar field is blank, your domain host may be a reseller.

  1. In the ICANN Lookup results page, scroll down to the Raw Registry RDAP Response.
  2. Find the Reseller entry.
  3. Go to the reseller’s website.
  4. Sign in with the name and password you used when you purchased (or transferred) your domain.
    If you forgot your password, contact the reseller’s support team.

If there's no reseller listed, contact the listed registrar’s support team for help.

Step 2: Ensure third-party email provider messages pass SPF check

Valid messages sent by third-party email providers for your domain might not pass SPF checks. The receiving server might send these messages to spam. To help ensure that they pass SPF:

  • Verify your provider’s SPF records.
  • Route messages through your domain or network by configuring SMTP relay.
Step 3: (Optional) Check your current TXT record for SPF

A TXT record is a type of Domain Name System (DNS) record that has text information for servers and other sources outside of your domain. You might already have a TXT record set up for SPF with your domain provider. To check, use the Check MX feature in the Google Admin Toolbox:

  1. Go to the Google Admin Toolbox.
  2. Enter your domain name.
  3. Click Run Checks!
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. They should include:
    [your-domain-name-here.com]
    _spf.google.com
    _netblocks.google.com followed by several IP addresses
    _netblocks2.google.com followed by several IP addresses
    _netblocks3.google.com followed by several IP addresses

Step 1: Create your TXT record for SPF

A TXT record for SPF defines the mail servers that are allowed to send mail for your domain. A single domain can have only one TXT record for SPF. However, the TXT record for a domain can specify multiple servers and domains that are allowed to send mail for the domain.

Open a TXT file and enter the TXT record contents, according to the following guidelines.

TXT record contents

If all email from your organization is sent from Google Workspace, use this line of text for your TXT record:

v=spf1 include:_spf.google.com ~all

Create a custom TXT record for SPF if you send mail in one or more of these ways in addition to Google Workspace:

  • You send mail from other servers.
  • You use a third-party mail provider.
  • Your website uses a service that generates automatic emails, such as a Contact us form.

For example:

v=spf1 ip4:192.168.0.1/16 include:_spf.google.com include:sparkpostmail.com ~all

This TXT record for SPF authorizes Google Workspace, the specified IP addresses, and the third-party service SparkPost to send email for your domain.
Create your TXT record using the information in Server information required for your TXT record and TXT record format (below).
Server information required for your TXT record
Your TXT record for SPF must include information about your mail servers.

Identify the IP addresses of all your mail servers

These servers might include:

  • Web servers
  • On-premise mail servers, for example Microsoft Exchange
  • Mail servers used by your service provider
  • Any third-party provider or service that sends email for your domain

Identify all domains controlled by your organization

Include domains that don’t send email. Spammers might try to spoof domains that don't send mail, especially after you protect sending domains with SPF.

TXT record format

A TXT record is a line of plain text that includes a list of tags and values. The tags are called mechanisms. Other, optional tags called qualifiers define the action to take when there's a mechanism match.

Example TXT records for SPF

Here are some example TXT records for SPF. Replace example IP addresses and domains with your own addresses and domain names.

v=spf1 ip4:192.168.0.1/16 -all

This TXT record authorizes any IP address between 192.168.0.1 and 192.168.255.255 to send mail for your domain

v=spf1 ~all

This TXT record prevents spoofing of your domains that don't send mail.

TXT record mechanisms for SPF

Important: An SPF TXT record can have up to 10 lookups. These mechanisms in the TXT record generate a lookup: a, mx, and include. If your TXT record has more than 10 lookups, messages from your domain won’t pass the SPF authentication check by the receiving server. These messages might be sent to spam. Read details below in Check the DNS lookups for your TXT record.

Here's a list of mechanisms to use in your TXT record. Mechanisms are checked in the order in which they occur in the TXT record. If there's a mechanism match and no qualifier is used, the default action is Pass.

Note: The addresses and domains in this table are examples. Replace the example values with IP addresses and domains for your own mail servers and organizations.

Mechanism Description and allowed values
v SPF version. Must be spf1. This tag is required, and must be the first tag in the record.
ip4 Specifies a mail server or servers by IPv4 address or address range. The value must be an IPv4 address in standard format, for example:
ip4:192.168.0.1
ip6 Specifies a mail server or servers by IPv6 address or address range. The value must be an IPv6 address in standard format, for example:
ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF
a Specifies a mail server by domain name, for example:
a:solarmora.com
mx

Specifies one or more mail servers by referring to a domain MX record, for example:
mx:mail.solarmora.com

Specifying a domain with this mechanism is optional. If you don’t specify a domain, the default value is the MX records of the domain where the SPF record is used.

include

Specifies mail servers of a domain other than your own domain, for example:
include:sparkpostmail.com

Use this mechanism to allow third-party mail senders.

all If you use all, it must be the last tag in the record. SPF checks ignore any mechanism after all. We recommend using this mechanism with a soft fail qualifier: ~all

TXT record qualifiers for SPF

Optional tags called qualifiers define the action to take when there's a match to a mechanism in the SPF TXT record.

Mechanisms are checked in the order in which they occur in the TXT record. If you don't use qualifiers, the default action is Pass. The action defaults to Neutral when there's no mechanism match.

Here's a list of qualifiers that can be used in a TXT record. A qualifier is an optional prefix you can add to any mechanism in the record. Qualifiers specify the action to take when there's a match with a mechanism value.

We recommend using ~all in your TXT record for SPF.

Qualifier Description
+ Pass. The server with matching IP address or domain is allowed to send for the domain. Pass is the default when no qualifier is used.
- Fail. The server with matching IP address or domain is not allowed to send for the domain. The SPF record doesn’t include the sending server IP address or domain.
~ Soft fail. The server with matching IP or domain address might be allowed to send for the domain. The receiving server will usually accept messages and mark them as suspicious.
? Neutral. The SPF record doesn’t explicitly state that the IP address or domain is allowed to send for the domain. SPF records with neutral results often include ?all.

For more information about creating TXT records, go to TXT record values

Step 2. Enable SPF for your domain

Important: If you don’t update your TXT record with new server or sender information, messages sent from new servers or senders might be sent to spam. Learn more About TXT records.

Enable SPF at your domain provider by adding a DNS TXT record for SPF.

  • The field names in step 3 below might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.
  • If your organization or domain sends all email from Google Workspace, use the TXT record value shown in step 3 below. If you created a different TXT record, enter that value instead.

To enable SPF:

  1. Sign in to the management console for your domain host. 
  2. Locate the page where you update TXT records for your domain.
  3. Using the text file or line of text that defines your TXT record, create a DNS record for your Google Workspace mail servers with the following values:

    Type: TXT
    Host: @
    Value: v=spf1 include:_spf.google.com ~all
    TTL: 1 hour (or 3600 seconds)

Add a new mail server or domain to your SPF records

To enable SPF for your domain, update your TXT record for SPF at your domain provider's management console every time that you:

  • Add new mail servers to your organization.
  • Start using new third-party senders.

To do so, repeat steps 1 and 2, above (Create your TXT record for SPF and Enable SPF for your domain).

Follow other best practices for email authentication

Also consider setting up these email authentication methods for your domain. For detailed steps, go to Help prevent spoofing, phishing, and spam.

DKIM
DomainKeys Identified Mail (DKIM) helps prevent spoofing on outgoing messages sent from your domain. DKIM adds a digital signature to every message, enabling receiving servers to verify that messages aren't forged and weren't changed during transit.
DMARC
Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforces SPF and DKIM authentication and lets you get reports about message authentication and delivery.

Troubleshoot SPF records

If messages sent from your domain are still sent to spam, even after enabling SPF, try these troubleshooting recommendations.

Step 1: Verify messages pass SPF
To verify that your SPF record is working as expected and messages from your domain pass SPF, check a message sent from your domain.
  1. Ask someone who received a message from your domain to open the message and view the email’s full headers.
  2. If the header shows that SPF failed, check your SPF record for errors.
  3. Make sure the record includes references to all servers and domains that send mail for your organization.
    1. Review Step 1. Create your TXT record for SPF above.
    2. Make any required changes to your TXT record.
    3. Update the record at your domain host by following the steps under Step 2. Enable SPF for your domain above.
Step 2: Check the DNS lookups for your TXT record

TXT records for SPF are limited to 10 lookups. So, your TXT record for SPF can’t include more than 10 references to other domains.

  • If your TXT record has more than 10 lookups, messages from your domain won’t pass the receiving server's SPF check.
  • The messages might be sent to spam.
  • Every instance of these tags in the TXT record generates a lookup: a, mx, include, ptr.
  • Nested lookups count toward the limit of 10. So, if a domain referenced in an include tag has domain references in its TXT record for SPF, those domains are counted toward your limit.

Tip: If messages are still sent to spam, check the number of lookups for your TXT record with the Check MX feature in the Google Admin Toolbox.

To reduce the number of lookups in your TXT record:

  • Don’t use include tags unless necessary.
  • When possible, use the ip4 or ip6 tag, instead of include.
  • Remove duplicate tags or tags that reference the same domain.
  • Reference only domains that are actively sending email. Remove any include statements for partners that no longer send mail for your domain.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue