Sender Policy Framework (SPF) is an email authentication method that specifies the mail servers authorized to send email for your domain. SPF helps protect your domain from spoofing, and helps ensure that your messages are delivered correctly. Mail servers that get mail from your domain use SPF to verify that messages that appear to come from your domain actually are from your domain.
- SPF help prevents spoofing—Spammers can forge your domain or organization to send fake messages that appear to come from your organization. This is called spoofing. Spoofed messages can be used for malicious purposes, for example to communicate false information, to send out harmful software, or to trick people into giving out sensitive information. SPF helps receiving servers verify that mail sent from your domain is actually from your organization, and is sent by a mail server authorized by you.
- SPF helps deliver messages to recipients’ inboxes—SPF helps prevent messages from your domain from being delivered to spam. If your domain doesn’t use SPF, receiving mail servers can’t verify that messages appearing to be from your domain actually are from you. Receiving servers might send valid messages to recipients' spam folders, or might reject valid messages.
Note: If you bought your domain from a Google partner when you signed up for Google Workspace, you might not need to set up SPF records. Check if SPF is one of the Settings managed by your domain host.
Best practices for email authentication
We recommend you always set up these email authentication methods for your domain:
- SPF helps servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
- DKIM adds a digital signature to every message. This lets receiving servers verify that messages aren't forged, and weren't changed during transit.
- DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.
Before you begin
Read the information in this section before enabling SPF for your organization.
You can search for your domain host online. The Internet Corporation for Assigned Names and Numbers (ICANN) is a nonprofit organization that collects domain information. Use the ICANN Lookup tool to find your domain host.
- Go to lookup.icann.org.
- In the search field, enter your domain name and click Lookup.
- In the results page, scroll down to Registrar Information. The registrar is usually your domain host.
Domain resellers: Some domains are hosted by resellers through a separate registrar. If you can’t sign in with your listed registrar or the registrar field is blank, your domain host may be a reseller.
- In the ICANN Lookup results page, scroll down to the Raw Registry RDAP Response.
- Find the Reseller entry.
- Go to the reseller’s website.
- Sign in with the name and password you used when you purchased (or transferred) your domain.
If you forgot your password, contact the reseller’s support team.
If there's no reseller listed, contact the listed registrar’s support team for help.
Third-party email providers
Valid messages sent by third-party email providers for your domain might not pass SPF checks. If this happens, the receiving server might send messages from third-party providers to spam.
To help ensure messages sent by third-party providers pass SPF:
- Verify your provider’s SPF records.
- Route messages through your domain or network by configuring SMTP relay.
To enable SPF for your domain, update the TXT record for SPF in your domain provider's management console.
TXT records are a type of Domain Name System (DNS) record that have text information for servers and other sources outside of your domain. Learn more About TXT records.
For detailed steps, go to Enable SPF for your domain.
(Optional) Check your current TXT record for SPF
You might already have a TXT record set up for SPF with your domain provider. To check, use the Check MX feature in the Google Admin Toolbox:
- Go to the Google Admin Toolbox.
- Enter your domain name.
- Click Run Checks!
- When the test finishes, click Effective SPF Address Ranges.
- Check the SPF results. They should include:
_netblocks.google.comfollowed by several IP addresses
_netblocks2.google.comfollowed by several IP addresses
_netblocks3.google.comfollowed by several IP addresses
A TXT record for SPF defines the mail servers that are allowed to send mail for your domain.
A single domain can have only one TXT record for SPF. However, the TXT record for a domain can specify multiple servers and domains that are allowed to send mail for the domain.
TXT record contents
If all email from your organization is sent from Google Workspace, use this line of text for your TXT record:
v=spf1 include:_spf.google.com ~all
Important: If you send mail in one or more of these ways in addition to Google Workspace, you must create a custom TXT record for SPF:
- You send mail from other servers.
- You use a third-party mail provider.
- Your website uses a service that generates automatic emails, for example you have a "Contact us" form.
v=spf1 ip4:192.168.0.1/16 include:_spf.google.com include:sparkpostmail.com ~all
IP addresses of all your mail servers
Identify the IP addresses for all servers that send mail for your organization. These servers might include:
- Web servers
- On-premise mail servers, for example Microsoft Exchange
- Mail servers used by your service provider
- Any third-party provider or service that sends email for your domain
All domains controlled by your organization
Identify all the domains controlled by your organization, even domains that don’t send email. Spammers might try to spoof domains that don't send mail, especially after you protect sending domains with SPF.
An TXT record is in the form of a line of plain text that is a list of tags and values. The tags are called mechanisms. Other, optional tags called qualifiers define the action to take when there's a mechanism match.
Here are some example TXT records for SPF. Replace example IP addresses and domains with your own addresses and domain names.
v=spf1 ip4:192.168.0.1/16 -all
The tags used to create a TXT record for SPF are called mechanisms.
Important: An SPF TXT record can have up to 10 lookups. These mechanisms in the TXT record generate a lookup: a, mx, and include. If your TXT record has more than 10 lookups, messages from your domain won’t pass the SPF authentication check by the receiving server. These messages might be sent to spam. Read details in Check the DNS lookups for your SPF record.
Here's a list of mechanisms to use in your TXT record. Mechanisms are checked in the order they occur in the TXT record. If there's a mechanism match and no qualifier is used, the default action is pass SPF.
Note: The addresses and domains in this table are examples. Replace the example values with IP addresses and domains for your own mail servers and organizations.
|Mechanism||Description and allowed values|
|v||SPF version. Must be spf1. This tag is required, and must be the first tag in the record.|
|ip4||Specifies a mail server or servers by IPv4 address or address range. The value must be an IPv4 address in standard format, for example:
|ip6||Specifies a mail server or servers by IPv6 address or address range. The value must be an IPv6 address in standard format, for example:
|a||Specifies a mail server by domain name, for example:
Specifies one or more mail servers by referring to a domain MX record, for example:
Specifying a domain with this mechanism is optional. If you don’t specify a domain, the default value is the MX records of the domain where the SPF record is used.
Specifies mail servers of a domain other than your own domain, for example:
Use this mechanism to allow third-party mail senders.
|all||If used, this must be the last tag in the record. SPF checks ignore any mechanism after all. We recommend using this mechanism with a soft fail qualifier: ~all|
Optional tags called qualifiers define the action to take when there's a match to a mechanism in the SPF TXT record.
Mechanisms are checked in the order they occur in the TXT record. If you don't use qualifiers, the default action is pass SPF. The action defaults to Neutral when there's no mechanism match.
Here's a list of qualifiers that can be used in a TXT record. A qualifier is an optional prefix you can add to any mechanism in the record. Qualifiers specify the action to take when there's a match with a mechanism value.
We recommend using ~all in your TXT record for SPF.
|+||Pass. The server with matching IP address or domain is allowed to send for the domain. Pass is the default when no qualifier is used.|
|-||Fail. The server with matching IP address or domain is not allowed to send for the domain. The SPF record doesn’t include the sending server IP address or domain.|
|~||Soft fail. The server with matching IP or domain address might be allowed to send for the domain. The receiving server will usually accept messages and mark them as suspicious.|
|?||Neutral. The SPF record doesn’t explicitly state that the IP address or domain is allowed to send for the domain. SPF records with neutral results often include ?all.|
Enable SPF at your domain provider by adding a DNS TXT record for SPF.
- The field names in Step 4 below might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.
- If your organization or domain sends all email from Google Workspace, use the TXT record value shown in Step 4 below. If you created a different TXT record, enter that value instead.
To enable SPF, update the DNS TXT record for SPF at your domain provider.
- Get the text file or line of text that defines your TXT record.
- Sign in to the management console for your domain host. If you’re not sure who your domain host is, follow the steps in Find your domain provider.
- Locate the page where you update TXT records for your domain.
- Add a new TXT record for your Google Workspace mail servers:
Add a new mail server or domain to your SPF records
Update your TXT record for SPF at your domain provider every time you:
- Add new mail servers to your organization
- Start using new third-party senders
If you don’t update your TXT record with new server or sender information, messages sent from new servers or senders might be sent to spam.
First, update your TXT record with new servers or domains by following the instructions in Step 1: Create your SPF record for SPF. Then, update your SPF record at your domain provider by following the instructions in Step 2. Enable SPF for your domain.
Troubleshooting SPF records
If messages sent from your domain are still sent to spam, even after enabling SPF, try these troubleshooting recommendations.
Verify messages pass SPFTo verify that your SPF record is working as expected and messages from your domain pass SPF, check a message sent from your domain.Ask someone who received a message from your domain to open the message and view the email’s full headers. Then, check the message header for the SPF results. If the header shows that SPF failed, check your SPF record for errors. Make sure the record includes references to all servers and domains that send mail for your organization.Check the DNS lookups for your TXT record
TXT records for SPF are limited to 10 lookups. So, your TXT record for SPF can’t include more than 10 references to other domains. If your TXT record has more than 10 lookups, messages from your domain won’t pass the receiving server's SPF check. The messages might be sent to spam.
Every instance of these tags in the TXT record generates a lookup: a, mx, include, ptr.
Nested lookups count toward the limit of 10. So, if a domain referenced in an include tag has domain references in their TXT record for SPF, those domains are counted toward your limit.
If messages are still sent to spam, check the number of lookups for your TXT record with the Check MX feature in the Google Admin Toolbox.
To reduce the number of lookups in your TXT record:
- Don’t use include tags unless necessary.
- When possible, use the ip4 or ip6 tag, instead of include.
- Remove duplicate tags or tags that reference the same domain.
Reference only domains that are actively sending for your organization. Remove any include statements for partners that no longer send mail for your domain.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.