Set up SPF

Gmail users: If you’re getting spam or phishing messages in Gmail, go here instead. If you’re having trouble sending or receiving emails in Gmail, go here instead.

As an administrator, you can set up SPF by adding an SPF record to your domain:

  • The SPF record is a text record listing servers that are approved to send email from your domain. Each domain should have 1 SPF record.
  • Receiving servers check the SPF record to verify that email from your domain is from authorized servers.

Setting up SPF and DKIM is a powerful combination that can prevent messages sent from your organization or domain being marked as spam by receiving mail servers.

On this page 

Step 1: Check if SPF is already set up

In these situations, you might not need to set up SPF records:

  • Your domain or service provider already has SPF set up by default
  • You bought your domain from a Google partner when you signed up for Google Workspace

Important: You must be using Google Workspace to proceed. Alternatively, consider using a third-party tool from the internet to check if SPF is already set up.

  1. Go to the Google Admin Toolbox.
  2. Enter your domain name.
  3. Click Run Checks.
  4. When the test finishes, click Effective SPF Address Ranges.
  5. Check the SPF results. The SPF record must include a line for each sender that sends email on behalf of your domain. See Example SPF records (later on this page).
  6. Proceed based on the results:

Step 2: Prepare your SPF record

Prepare your SPF record

  1. Identify all email senders for your organization.

    Tip: You can use DMARC reports to identify all senders to your domain.

    In simple cases, all your organization’s email is sent using Google Workspace only. In other cases, email senders might include the following:

    • Web servers
    • On-premise mail servers, for example Microsoft Exchange
    • Mail servers used by your service provider
    • Outbound gateways
    • Services that send automatic emails, for example "Contact us" forms
    • Any third-party provider or service that sends email for your domain
  2. Proceed depending upon how your organization sends email:
    • Using Google Workspace only: Copy this line of text: v=spf1 include:_spf.google.com ~all, then proceed to Add your SPF record (later on this page).

    • Using other email senders: Identify those IP addresses or domains. You might need to contact your web site admin or third-party service documentation for this information. Add other senders using the include: mechanism. See Example SPF records (below on this page).
Example SPF records

These examples use Google Workspace and other senders. Every example includes _spf.google.com, which is required to send mail with Google Workspace.

Important: Replace the domain names in these examples with the domains for your senders. 

Example SPF record Description

v=spf1 include:_spf.google.com ~all

Supports messages sent from Google Workspace only.
v=spf1 include:_spf.google.com include:mail.zendesk.com ~all Supports messages sent from Google Workspace and Zendesk.

v=spf1 include:_spf.google.com include:secureserver.net ~all

Supports messages sent from Google Workspace and GoDaddy.

v=spf1 include:_spf.google.com include:shops.shopify.com ~all Supports messages sent from Google Workspace and Shopify.

Step 3: Add or update your SPF record

Add your SPF record

  1. Sign in to your domain host, typically where you purchased your domain name. If you’re not sure who your domain host is, see identify your domain registrar.
  2. Go to the page where you update DNS TXT records for your domain. For help finding this page, check the documentation for your domain.
  3. Add or update the TXT record with this information (refer to the documentation for your domain): 

    Field name Value to enter
    Type The record type is TXT.
    Host The domain (or subdomain), can also be called Name, Hostname, or Alias. If the Host is the same domain (not subdomain) you are adding the TXT record to, specify the @ symbol.
    Value

    The string that makes up the TXT record:

    TTL (only SPF & BIMI)

    The Time To Live value determines the number of seconds before subsequent changes to the record go into effect.

    You can set this value to 1 hour or 3600 seconds.

    If your domain doesn't let you modify the value for this field, use the current value.

  4. If you use subdomains, you must add an SPF record for each subdomain. Check the documentation for your domain.
  5. If you are setting up SPF for more than one domain, complete these steps for each domain. Each domain must have its own SPF record.

It can take up to 48 hours for SPF authentication to start working. To verify that SPF is working, see Verify outgoing messages pass SPF authentication.

Next steps

  • Google recommends that you also set up DKIM and DMARC authentication for your organization. Bulk senders are required to set up SPF, DKIM, and DMARC. For details, see Email sender guidelines.
  • If you start using a new mail server or third-party sender, make sure to update your SPF record (earlier on this page). Otherwise, messages sent by the new senders could be marked as spam.
  • If you can't figure out if SPF is working, or if messages from your domain are going to spam, see Troubleshoot SPF issues.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

 

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
1208696956990408905