LochStudios  /  Help Centre  /  Email Deliverability  /  SPF Records Explained and How to Set One Up

SPF Records Explained and How to Set One Up

Learn what SPF is, why it matters for email delivery, and how to create and deploy an SPF record for your domain.

Updated

What is SPF?

SPF (Sender Policy Framework) is a DNS record that tells email providers which servers are authorized to send emails on behalf of your domain. When someone receives an email claiming to be from your domain, their email server checks your SPF record to verify the sending server is legitimate. Without SPF, your emails are more likely to be flagged as spam.

Why SPF Matters

Email providers use SPF as a key authentication method. A proper SPF record helps:

  • Reduce spam filtering: Legitimate emails pass authentication checks
  • Prevent spoofing: Attackers can't easily impersonate your domain
  • Improve delivery rates: Fewer emails end up in spam folders
  • Build trust: Consistent authentication signals you're a legitimate sender

How SPF Works

  1. You publish an SPF record in your domain's DNS as a TXT record
  2. When an email from your domain arrives at a recipient's server, they query your DNS
  3. The recipient's server extracts the sending server's IP address from the email headers
  4. It checks the SPF record to see if that IP is authorized
  5. The email passes or fails SPF authentication based on the result

Setting Up an SPF Record

Step 1: Identify Your Authorized Sending Servers

Gather the IP addresses or hostnames of all servers that send email on behalf of your domain. This typically includes:

  • Your hosting provider's mail server
  • Third-party email services (marketing tools, form handlers, etc.)
  • Your own servers if you send transactional emails

Ask your hosting provider or service for their SPF-authorized IP or hostname.

Step 2: Create Your SPF Record

SPF records use a specific syntax. A basic example:

v=spf1 ip4:192.0.2.1 include:mailprovider.com ~all

Breaking this down:

  • v=spf1 — Version identifier (always required, must be first)
  • ip4:192.0.2.1 — Authorizes the IPv4 address 192.0.2.1
  • include:mailprovider.com — Trusts SPF records from mailprovider.com
  • ~all — Soft fail (allows unauthorized servers but marks them suspicious); use -all for hard fail instead

Common building blocks:

v=spf1 a mx include:example.com ip4:198.51.100.0/24 ~all
  • a — Authorizes the A record (IPv4) of your domain
  • mx — Authorizes the MX record servers
  • include: — Trusts the SPF record of another domain
  • ip4: — Authorizes a specific IPv4 address or CIDR range
  • ip6: — Authorizes a specific IPv6 address or CIDR range

Step 3: Add the Record to Your DNS

Log in to your DNS provider (often your hosting control panel):

  1. Navigate to DNS Records or Zone Management
  2. Create a new TXT record for your domain
  3. Enter the hostname as @ (your domain root) or leave blank
  4. Paste your complete SPF record as the value
  5. Save the record

Example DNS entry:

| Type | Name | Value |
|------|------|-------|
| TXT | @ | v=spf1 ip4:192.0.2.1 include:mailprovider.com ~all |

Step 4: Verify Your Record

After adding the record, allow up to 24 hours for DNS propagation (usually much faster). To check:

nslookup -type=TXT yourdomain.com

Or use an online SPF checker tool and enter your domain.

SPF Best Practices

  • Keep it simple: Avoid too many include statements (SPF has a 10-include limit per some implementations)
  • Use soft fail first: Start with ~all while testing, switch to -all once confident
  • Update when adding services: Each time you add a new email service, update your SPF record
  • Monitor alignment: Your SPF domain should match the domain in your email's "From" address for best results
  • Test before enforcing: Use a monitoring tool to catch any legitimate email that might fail

Common Issues

"Too many includes" — Reduce the number of include: statements by consolidating providers or removing unused ones.

"Emails still go to spam" — SPF alone isn't enough; combine it with DKIM and DMARC for stronger authentication.

"Changes aren't taking effect" — DNS changes take time to propagate worldwide. Wait 24 hours, then re-check with a DNS lookup tool.

Next Steps

Once SPF is working, add DKIM and DMARC records to your domain for even stronger email authentication and protection against spoofing.


Was this article helpful?

← Back to Email Deliverability