Notification

Duet AI is now Gemini for Google Workspace. Learn more

Help prevent spoofing and spam with SPF

As a network administrator for your work or school, you can create a Sender Policy Framework (SPF) record to identify mail servers and domains that are allowed to send email on behalf of your domain. Receiving servers check your SPF record to verify that incoming messages that appear to be from your organization are sent from servers allowed by you.

Email authentication requirements for sending to Gmail accounts

Google performs checks on messages sent to Gmail accounts to verify messages are authenticated. To help ensure these messages are delivered as expected, set up email authentication for your domain. We recommend you always set up SPF and DKIM to protect your organization’s email, and to meet the authentication requirements described in Email sender guidelines. If you use an email service provider: Verify that your provider's authentication methods meet the requirements in Email sender guidelines. If you regularly forward email: Follow our Best practices for forwarding email to Gmail to help ensure messages are delivered as expected.

On this page 

Before you begin - SPF prerequisites

To set up SPF, you need the sign-in information for your domain provider, an SPF record, and a list of the IP addresses or domains for your mail servers.

Note: If you bought your domain from a Google partner when you signed up for Google Workspace, you might not need to set up SPF records. Check if SPF is one of the Settings managed by your domain host.

Get the sign-in information for your domain provider

SPF is set up at your domain provider, not in your Google admin console. You’ll need the sign-in information for your domain provider.

If you're not sure who your domain provider is, go to Identify your domain host.

Add or check for an SPF record

To set up SPF for your domain, add a DNS text (TXT) record in your domain provider's management console. TXT records are a type of DNS record that has information for servers and other sources outside your domain.

Learn more about TXT records.

Check if you have an existing SPF record (optional)

 

Before your start: Check your current SPF and DKIM

Before you set up email authentication, use the Google Admin Toolbox to check if SPF and DKIM have been set up.

 

You might already have a TXT record set up for SPF with your domain provider. To check, use the Check MX feature in the Google Admin Toolbox:

  1. Go to the Google Admin Toolbox.
  2. Enter your domain name.
  3. Click Run Checks!
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. They should include:
    • _spf.google.com
    • _netblocks.google.com followed by several IP addresses
    • _netblocks2.google.com followed by several IP addresses
    • _netblocks3.google.com followed by several IP addresses

Get IP addresses or domains for mail servers

Your SPF record must include references to all servers that send email for your organization or domain. These might include:

  • Web servers
  • On-premise mail servers, for example Microsoft Exchange
  • Mail servers used by your service provider
  • Outbound gateways
  • Services that send automatic emails, for example "Contact us" forms
  • Any third-party provider or service that sends email for your domain

If you send email with servers or services in addition to Google Workspace, gather those IP addresses or domains to include in your SPF record. You might need to contact your web site admin or third-party service documentation for this information.

Step 1: Define your SPF record

An SPF record identifies the mail servers and domains that are allowed to send email on behalf of your domain. Receiving servers check your SPF record to verify that incoming messages that appear to be from your organization are sent from servers allowed by you.

Domains have one SPF record that can specify multiple servers and any third parties that are allowed to send mail from the domain.

Set up SPF

SPF record: Google Workspace only

If all email from your organization is sent using Google Workspace only, copy this line of text for your SPF record:

v=spf1 include:_spf.google.com ~all

Go directly to Step 2: Add your SPF record at your domain provider.

SPF record: Google Workspace plus other senders

If you send mail with other servers or third-party services in addition to Google Workspace, create a custom SPF record that authorizes these senders. If you’re not sure what these services are, review Get IP addresses or domains for email servers.

Your SPF record should include a reference to Google Workspace, and to the domains and IP addresses of all servers or services that send mail for your domain.

Example SPF records: Google Workspace plus other senders

Here are example SPF records for common email setups that use Google Workspace and other senders. Every example includes _spf.google.com, which is required to send mail with Google Workspace.

Start with this SPF record for Google Workspace, then add the information for your other senders:

v=spf1 include:_spf.google.com ~all

Important: The IP addresses and domain names used in this table are examples. Replace them with IP addresses and domains for your senders.

Example SPF record Description
v=spf1 ip4:192.168.0.0/16 include:_spf.google.com ~all

Authorizes these email senders for your domain:

  • Any server with an IP address between 192.168.0.0 and 192.168.255.255
  • Google Workspace
v=spf1 ip4:192.168.0.0/16 include:_spf.google.com include:sendyourmail.com ~all

Authorizes these email senders for your domain:

  • Servers between 192.168.0.0 and 192.168.255.255
  • Google Workspace
  • Third-party service Sendyourmail
v=spf1 a:mail.solarmora.com ip4:192.72.10.10 include:_spf.google.com ~all

Authorizes these email senders for your domain:

  • Server mail.solarmora.com
  • Server with IP address 192.72.10.10
  • Google Workspace
v=spf1 include:servers.mail.net include:_spf.google.com ~all

Authorizes these email senders for your domain:

  • Third-party email service with server servers.mail.net
  • Google Workspace

Step 2: Add your SPF record

To turn on SPF for your domain, add your SPF record at your domain provider.

When adding your SPF record, keep in mind:

  • The field names in these steps might be different for your domain provider. DNS TXT record field names vary for domain providers.
  • Some domain providers require the SPF record value be enclosed in quotes. Check your provider's support information for information on SPF record format.
  • After adding an SPF record, it can take up to 48 hours for SPF authentication to start working.
  1. Sign in to the management console for your domain host and locate the page where you update DNS TXT records for your domain. For help on how to find this page, check the documentation for your domain provider.
  2. Enter these values on the page or form for your domain provider’s TXT records:
Field name Value to enter
Type TXT
Host

@

Note: If you're adding an SPF record for a subdomain, enter the subdomain instead of @. Read Apply an SPF record to subdomain with the Host setting for more information.

Value

If you only send email from Google Workspace, enter this SPF record:

v=spf1 include:_spf.google.com ~all


If you use additional email senders, enter the SPF record you created in Basic setup or in Advanced setup.
TTL

1 hour or 3600 seconds

If your domain provider doesn't let you modify the value for this field, use the current value.

Once you add the SPF record at your domain, you’re done setting up SPF for your domain. It can take up to 48 hours for SPF authentication to start working.

We recommend you also set up DKIM and DMARC authentication for your organization.

Add new senders to your SPF record (optional)

 

Every time you start using a new mail server or third-party sender, you should:
  1. Update your SPF record, following Step 1: Define your SPF record.
  2. Add the updated SPF record at your domain provider, following Step 2: Add your SPF record.

If you don’t update your SPF record, messages sent by the new senders might be marked as spam.

Important: Your domain should have one SPF record only. The exception is when you Add an SPF record to a subdomain with the Host setting. Your domain provider might let you add more than one SPF record to the same domain. However, SPF won’t authenticate messages correctly if there are multiple SPF records for the same domain.

Add an SPF record to a subdomain (optional)

 

When you add your SPF record to your domain, the SPF record isn't automatically applied to subdomains. Check if your domain provider lets you add SPF records directly to subdomains. If you're not sure, check the documentation for your domain provider.

Add an SPF record directly to subdomain

If your domain provider lets you add SPF records directly to subdomains, locate the subdomain in your domain provider management console. Then, add an SPF record following Step 2: Add your SPF record.

For example, if your domain is solarmora.com, you might want to add an SPF record for the subdomain mail.solarmora.com. Locate mail.solarmora.com in your domain provider console and add the SPF record.

Apply an SPF record to subdomain with the Host setting

If your domain provider doesn’t have a way to add an SPF record directly to a subdomain, add another SPF record to your primary domain. Change the Host value to apply the SPF record to the subdomain.

Follow Step 2: Add your SPF record, but for the Host value, enter the subdomain instead of @.

For example, if your domain is solarmora.com, you might want to add an SPF record for the subdomain mail.solarmora.com. Enter mail in the Host field, instead of @.

Related topics

 


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
8106670133030521166
true
Search Help Center
true
true
true
true
true
73010