Using Sender Policy Framework (SPF), you can protect your domain from spoofing and help ensure that your messages are delivered correctly. You use SPF to authenticate email and specify the mail servers authorized to send email for your domain. Mail servers use SPF to verify that messages that appear to come from your domain actually are from your domain.
Reasons to use SPF
Note: If you bought your domain from a Google partner when you signed up for Google Workspace, you might not need to set up SPF records. Check to verify that SPF is one of the Settings managed by your domain host.Prevent spoofing
Before you begin
Enable SPF in the management console for your domain provider, not in your Google Admin console. If you're not sure who your domain provider is, follow these steps.Step 1: Find your domain provider
You can search for your domain host online. The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization that collects domain information. Use the ICANN Lookup tool to find your domain host.
- Go to lookup.icann.org.
- In the search field, enter your domain name and click Lookup.
- In the results page, scroll down to Registrar Information. The registrar is usually your domain host.
Domain resellers: Some domains are hosted by resellers through a separate registrar. If you can’t sign in with your listed registrar or the registrar field is blank, your domain host may be a reseller.
- In the ICANN Lookup results page, scroll down to the Raw Registry RDAP Response.
- Find the Reseller entry.
- Go to the reseller’s website.
- Sign in with the name and password you used when you purchased (or transferred) your domain.
If you forgot your password, contact the reseller’s support team.
If there's no reseller listed, contact the listed registrar’s support team for help.
Valid messages sent by third-party email providers for your domain might not pass SPF checks. The receiving server might send these messages to spam. To help ensure that they pass SPF:
- Verify your provider’s SPF records.
- Route messages through your domain or network by configuring SMTP relay.
A TXT record is a type of Domain Name System (DNS) record that has text information for servers and other sources outside of your domain. You might already have a TXT record set up for SPF with your domain provider. To check, use the Check MX feature in the Google Admin Toolbox:
- Go to the Google Admin Toolbox.
- Enter your domain name.
- Click Run Checks!
- When the test finishes, click Effective SPF Address Ranges.
- Check the SPF results. They should include:
_netblocks.google.comfollowed by several IP addresses
_netblocks2.google.comfollowed by several IP addresses
_netblocks3.google.comfollowed by several IP addresses
A TXT record for SPF defines the mail servers that are allowed to send mail for your domain. A single domain can have only one TXT record for SPF. However, the TXT record for a domain can specify multiple servers and domains that are allowed to send mail for the domain.
Open a TXT file and enter the TXT record contents, according to the following guidelines.TXT record contents
If all email from your organization is sent from Google Workspace, use this line of text for your TXT record:
v=spf1 include:_spf.google.com ~all
Create a custom TXT record for SPF if you send mail in one or more of these ways in addition to Google Workspace:
- You send mail from other servers.
- You use a third-party mail provider.
- Your website uses a service that generates automatic emails, such as a Contact us form.
v=spf1 ip4:192.168.0.1/16 include:_spf.google.com include:sparkpostmail.com ~all
Identify the IP addresses of all your mail servers
These servers might include:
- Web servers
- On-premise mail servers, for example Microsoft Exchange
- Mail servers used by your service provider
- Any third-party provider or service that sends email for your domain
Identify all domains controlled by your organization
Include domains that don’t send email. Spammers might try to spoof domains that don't send mail, especially after you protect sending domains with SPF.
A TXT record is a line of plain text that includes a list of tags and values. The tags are called mechanisms. Other, optional tags called qualifiers define the action to take when there's a mechanism match.
Example TXT records for SPF
Here are some example TXT records for SPF. Replace example IP addresses and domains with your own addresses and domain names.
v=spf1 ip4:192.168.0.1/16 -all
Important: An SPF TXT record can have up to 10 lookups. These mechanisms in the TXT record generate a lookup: a, mx, and include. If your TXT record has more than 10 lookups, messages from your domain won’t pass the SPF authentication check by the receiving server. These messages might be sent to spam. Read details below in Check the DNS lookups for your TXT record.
Here's a list of mechanisms to use in your TXT record. Mechanisms are checked in the order in which they occur in the TXT record. If there's a mechanism match and no qualifier is used, the default action is Pass.
Note: The addresses and domains in this table are examples. Replace the example values with IP addresses and domains for your own mail servers and organizations.
|Mechanism||Description and allowed values|
|v||SPF version. Must be spf1. This tag is required, and must be the first tag in the record.|
|ip4||Specifies a mail server or servers by IPv4 address or address range. The value must be an IPv4 address in standard format, for example:
|ip6||Specifies a mail server or servers by IPv6 address or address range. The value must be an IPv6 address in standard format, for example:
|a||Specifies a mail server by domain name, for example:
Specifies one or more mail servers by referring to a domain MX record, for example:
Specifying a domain with this mechanism is optional. If you don’t specify a domain, the default value is the MX records of the domain where the SPF record is used.
Specifies mail servers of a domain other than your own domain, for example:
Use this mechanism to allow third-party mail senders.
|all||If you use all, it must be the last tag in the record. SPF checks ignore any mechanism after all. We recommend using this mechanism with a soft fail qualifier: ~all|
Optional tags called qualifiers define the action to take when there's a match to a mechanism in the SPF TXT record.
Mechanisms are checked in the order in which they occur in the TXT record. If you don't use qualifiers, the default action is Pass. The action defaults to Neutral when there's no mechanism match.
Here's a list of qualifiers that can be used in a TXT record. A qualifier is an optional prefix you can add to any mechanism in the record. Qualifiers specify the action to take when there's a match with a mechanism value.
We recommend using ~all in your TXT record for SPF.
|+||Pass. The server with matching IP address or domain is allowed to send for the domain. Pass is the default when no qualifier is used.|
|-||Fail. The server with matching IP address or domain is not allowed to send for the domain. The SPF record doesn’t include the sending server IP address or domain.|
|~||Soft fail. The server with matching IP or domain address might be allowed to send for the domain. The receiving server will usually accept messages and mark them as suspicious.|
|?||Neutral. The SPF record doesn’t explicitly state that the IP address or domain is allowed to send for the domain. SPF records with neutral results often include ?all.|
For more information about creating TXT records, go to TXT record values.
Important: If you don’t update your TXT record with new server or sender information, messages sent from new servers or senders might be sent to spam. Learn more About TXT records.
Enable SPF at your domain provider by adding a DNS TXT record for SPF.
- The field names in step 3 below might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.
- If your organization or domain sends all email from Google Workspace, use the TXT record value shown in step 3 below. If you created a different TXT record, enter that value instead.
To enable SPF:
- Sign in to the management console for your domain host.
- Locate the page where you update TXT records for your domain.
- Using the text file or line of text that defines your TXT record, create a DNS record for your Google Workspace mail servers with the following values:
Value: v=spf1 include:_spf.google.com ~all
TTL: 1 hour (or 3600 seconds)
Add a new mail server or domain to your SPF records
To enable SPF for your domain, update your TXT record for SPF at your domain provider's management console every time that you:
- Add new mail servers to your organization.
- Start using new third-party senders.
Follow other best practices for email authentication
Also consider setting up these email authentication methods for your domain. For detailed steps, go to Help prevent spoofing, phishing, and spam.DKIM
Troubleshoot SPF records
If messages sent from your domain are still sent to spam, even after enabling SPF, try these troubleshooting recommendations.Step 1: Verify messages pass SPF
- Ask someone who received a message from your domain to open the message and view the email’s full headers.
- If the header shows that SPF failed, check your SPF record for errors.
- Make sure the record includes references to all servers and domains that send mail for your organization.
TXT records for SPF are limited to 10 lookups. So, your TXT record for SPF can’t include more than 10 references to other domains.
- If your TXT record has more than 10 lookups, messages from your domain won’t pass the receiving server's SPF check.
- The messages might be sent to spam.
- Every instance of these tags in the TXT record generates a lookup: a, mx, include, ptr.
- Nested lookups count toward the limit of 10. So, if a domain referenced in an include tag has domain references in its TXT record for SPF, those domains are counted toward your limit.
Tip: If messages are still sent to spam, check the number of lookups for your TXT record with the Check MX feature in the Google Admin Toolbox.
To reduce the number of lookups in your TXT record:
- Don’t use include tags unless necessary.
- When possible, use the ip4 or ip6 tag, instead of include.
- Remove duplicate tags or tags that reference the same domain.
- Reference only domains that are actively sending email. Remove any include statements for partners that no longer send mail for your domain.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.