Sign In
Deliverability

How to set up an Spf record for google hosted email?

By Article Monster
October 5, 2025
28 min read
Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

SPF Record Configuration for Google Hosted Email

Ensuring proper email deliverability is crucial for any organization relying on Google Workspace (formerly G Suite). A Sender Policy Framework (SPF) record is a vital DNS record that helps prevent spammers from forging your domain in the “From” address. This article provides a comprehensive guide to configuring an SPF record specifically for Google-hosted email, covering common scenarios, troubleshooting tips, and best practices to maximize email delivery rates and minimize the risk of your emails being marked as spam. We’ll delve into practical examples and provide step-by-step instructions to ensure your SPF record is correctly configured and effective.

Table of Contents:

Understanding SPF and Its Importance

Spf record for google hosted email - Diagram illustrating how SPF works: sender, email server, recipient email server, DNS lookup, SPF record, and email authentication.
SPF, or Sender Policy Framework, is an email authentication method designed to prevent sender address forgery, a common technique used in phishing and spam. It works by allowing domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a recipient mail server receives an email, it checks the SPF record of the sender’s domain. If the sending server is listed in the SPF record, the email is more likely to be considered legitimate. If not, the email might be flagged as spam or rejected outright, depending on the recipient server’s configuration.

Without an SPF record, spammers can easily spoof your domain’s email address, making it appear as if the email originated from you. This can damage your domain’s reputation, leading to legitimate emails being marked as spam. A properly configured SPF record tells receiving mail servers: “These are the only servers authorized to send email from my domain. If an email claims to be from my domain but originates from a different server, it’s likely a forgery.” This dramatically reduces the likelihood of your domain being used for spam and helps ensure that your legitimate emails reach their intended recipients.

Importance of SPF The importance of SPF extends beyond just preventing spam. It directly impacts:
  • Email Deliverability: ISPs and email providers use SPF as one factor in determining whether to deliver emails to the inbox or mark them as spam.
  • Domain Reputation: Protecting your domain from being used in spam campaigns maintains a positive reputation, leading to better deliverability across all email services.
  • Brand Protection: Preventing phishing attacks that impersonate your brand helps maintain customer trust and avoids potential financial or reputational damage.
  • Compliance: Some regulations and industry standards require email authentication measures like SPF.
Neglecting SPF can have serious consequences, including decreased email deliverability, damage to your brand’s reputation, and potential legal repercussions if your domain is used in phishing attacks.

SPF Record Syntax: Key Components An SPF record is a TXT record in your domain’s DNS settings. It follows a specific syntax: 

v=spf1 [mechanisms] [modifiers]
Let’s break down each component:

  • v=spf1: This is the version of SPF being used. It’s mandatory and must be the first element in the record.
  • Mechanisms: These define the authorized sending sources. Common mechanisms include:
    • ip4: Specifies an IPv4 address or range. Example: ip4:192.0.2.0/24
    • ip6: Specifies an IPv6 address or range. Example: ip6:2001:db8::/32
    • a: Specifies the IP address(es) of the domain’s A record. Example: a:example.com
    • mx: Specifies the IP address(es) of the domain’s MX record(s). Example: mx:example.com
    • include: Includes another domain’s SPF record. This is crucial for Google Workspace. Example: include:_spf.google.com
    • exists: Checks if a given domain name resolves. Rarely used directly. Example: exists:%{s}.example.com
  • Qualifiers: Precede each mechanism and determine how the check is handled:
    • + (Pass): Explicitly allows the sending server (default if no qualifier is specified).
    • - (Fail): Explicitly denies the sending server. Recipient servers should reject the email.
    • ~ (SoftFail): Indicates the email might be from an unauthorized source, but the recipient server should accept it with a warning (e.g., mark it as spam).
    • ? (Neutral): Indicates the domain owner makes no assertion about whether the sending server is authorized. Effectively disables SPF checking.
  • Modifiers: Provide additional instructions or information.
    • redirect=: Redirects the SPF check to another domain’s SPF record. Example: redirect=example.net
    • exp=: Provides an explanation string for why an email failed the SPF check (rarely used). Example: exp=email.example.com
  • all: Matches all IP addresses. It’s usually placed at the end of the record and used with a qualifier to define the default behavior for addresses not matched by other mechanisms. Common uses:
    • -all: Fail all unmatched addresses (strict policy).
    • ~all: SoftFail all unmatched addresses (more lenient).
    • ?all: Neutral for all unmatched addresses (effectively disables SPF).
Example SPF Record (Basic for Google Workspace): 

v=spf1 include:_spf.google.com -all
This record states: “Use SPF version 1. Include Google’s SPF records (which list their authorized sending servers). Fail any other sending servers not explicitly authorized.” The `include:_spf.google.com` directive is critical when using Google Workspace, as it delegates the responsibility of specifying Google’s sending servers to Google themselves. They maintain this list, so you don’t have to manually update your SPF record every time Google adds or changes a server.

Important Considerations:

  • Only one SPF record per domain: Having multiple SPF records can cause issues with SPF evaluation. If you need to include multiple sources, combine them into a single record.
  • The 10-lookup limit: SPF records can include nested `include:` mechanisms. However, the total number of DNS lookups performed during an SPF evaluation is limited to 10. Exceeding this limit can cause SPF checks to fail. Try to consolidate your SPF record to minimize lookups.
  • Prioritize security: Use the `-all` mechanism at the end of your record to enforce a strict policy and reject unauthorized emails. If you’re unsure, `~all` (SoftFail) is a safer initial option.

Creating Your SPF Record for Google Workspace

Spf record for google hosted email - Screenshot of a DNS management interface showing the addition of a TXT record with the SPF value.
Creating an SPF record for Google Workspace involves several key steps: identifying your sending sources, constructing the SPF record syntax, adding the record to your domain’s DNS settings, and validating the record’s correctness. This section provides a detailed walkthrough of each step, ensuring a properly configured SPF record for optimal email deliverability.

Step 1: Identifying Your Sending Sources Before creating your SPF record, it’s crucial to identify all the servers and services that send email on behalf of your domain. This includes:

  • Google Workspace Servers: This is the primary source when using Google Workspace for email. You’ll use the include:_spf.google.com mechanism to authorize these servers.
  • Web Servers: If your website sends emails (e.g., contact form submissions, password reset emails), you need to include the IP address of your web server or use the a or mx mechanisms if the server is associated with your domain.
  • Marketing Automation Platforms: If you use services like Mailchimp, SendGrid, or HubSpot, you’ll need to include their SPF records using the include: mechanism they provide.
  • Transactional Email Services: Services like Sendinblue or Amazon SES also require including their SPF records.
  • On-Premise Email Servers: If you have any on-premise email servers that send email for your domain, you need to include their IP addresses or hostnames.
Failing to include all your sending sources in your SPF record can lead to legitimate emails being flagged as spam. Make a comprehensive list before proceeding to the next step.

Step 2: Constructing the SPF Record For Google Workspace, the base SPF record will always include Google’s SPF record. Start with this: 

v=spf1 include:_spf.google.com
Now, add any other sending sources you identified in the previous step. Here are some examples:

  • Adding a web server with IP address 192.0.2.10:
v=spf1 include:_spf.google.com ip4:192.0.2.10 -all
  • Adding Mailchimp: (Replace `servers.mcsv.net` with the correct value for your Mailchimp account if different).
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Adding SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Important: Always place the `include:_spf.google.com` directive *before* any other `include:` directives. This is a best practice to ensure that Google’s SPF records are evaluated first.

Finally, add the `all` mechanism to define the default behavior. Using `-all` is recommended for a strict policy, but `~all` is a safer starting point if you’re unsure: 

v=spf1 include:_spf.google.com include:servers.mcsv.net -all
This complete SPF record allows Google Workspace servers and Mailchimp servers to send email on behalf of your domain and fails any other sending servers.

Step 3: Adding the SPF Record to Your DNS Settings To add the SPF record, you’ll need to access your domain’s DNS management interface. This is typically provided by your domain registrar (e.g., GoDaddy, Namecheap, Google Domains) or your hosting provider. The exact steps vary depending on the provider, but the general process is:

  • Log in to your domain registrar or hosting provider’s control panel.
  • Navigate to the DNS management section. This might be called “DNS Zone Editor,” “DNS Records,” or something similar.
  • Create a new TXT record.
  • Enter the following values:
    • Host/Name: Enter @ or leave it blank to apply the record to the root domain (e.g., example.com). If you’re creating the record for a subdomain (e.g., mail.example.com), enter the subdomain.
    • Type: Select TXT.
    • Value/Text: Enter the SPF record you constructed in Step 2 (e.g., v=spf1 include:_spf.google.com include:servers.mcsv.net -all).
    • TTL (Time to Live): This determines how long DNS servers cache the record. The default TTL is usually fine (e.g., 3600 seconds or 1 hour).
  • Save the record.
Example using Google Domains:

  • Log in to Google Domains.
  • Select your domain.
  • Click on “DNS.”
  • Scroll down to “Custom resource records.”
  • Enter the following:
    • Name: @
    • Type: TXT
    • TTL: 3600
    • Data: v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Click “Add.”
Important: DNS changes can take up to 48 hours to propagate across the internet, although it’s often much faster. During this time, some email servers might use the old SPF record (or no SPF record), while others use the new one.

Step 4: Validating the SPF Record After adding the SPF record, it’s essential to validate its correctness. You can use online SPF record checkers to verify that the record is valid and doesn’t contain any errors. Here are a few popular options:

Simply enter your domain name into the tool, and it will check the SPF record for syntax errors, DNS lookup issues, and other potential problems. Pay close attention to any warnings or errors and correct them accordingly.

Example using MXToolbox:

The tool will display the SPF record and any issues it finds. For example, it might warn if you have multiple SPF records or if you’re exceeding the 10-lookup limit.

Expert Tip: After updating your SPF record, send test emails from all your sending sources (e.g., your web server, your marketing automation platform) to an email address you control (e.g., a Gmail account). Check the email headers to see if the SPF check passed. In Gmail, you can view the headers by opening the email, clicking on the three dots in the upper right corner, and selecting “Show original.” Look for the “Received-SPF” header. It should say “pass” if the SPF check passed.

Handling Multiple Senders and Third-Party Services

In today’s digital landscape, it’s common for organizations to use multiple services for sending emails, including Google Workspace, marketing automation platforms, transactional email services, and more. Managing SPF records for these diverse senders can be complex. This section provides guidance on how to create a comprehensive SPF record that authorizes all your legitimate sending sources while maintaining optimal email deliverability.

The `include:` Mechanism: Delegation is Key The `include:` mechanism is the cornerstone of managing multiple senders. It allows you to delegate the responsibility of specifying authorized sending servers to the third-party service itself. Instead of manually adding IP addresses for each service, you simply include their SPF record in your own. This makes maintenance much easier, as the service provider is responsible for keeping their SPF record up-to-date.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all
This record authorizes Google Workspace, Mailchimp (using the `servers.mcsv.net` SPF record), and SendGrid to send email on behalf of your domain. If Mailchimp or SendGrid changes their sending infrastructure, you don’t need to update your SPF record; they will update their own SPF record, and your record will automatically reflect those changes.

Finding the Correct `include:` Value Each third-party service has its own specific SPF record that you need to include. The correct value is usually documented in their help documentation or setup guides. Here’s how to find the SPF record for some common services:

  • Mailchimp: Search their help documentation for “SPF record” or “email authentication.” The correct value is usually include:servers.mcsv.net (but verify this for your specific account).
  • SendGrid: Search their help documentation for “SPF record.” The correct value is include:sendgrid.net.
  • HubSpot: Search their help documentation for “SPF record.” The correct value is include:hs-spf.hubspotemail.net.
  • Amazon SES: The correct value depends on the AWS region you’re using. Refer to the Amazon SES documentation for the correct include: value for your region (e.g., include:amazonses.com for the default region).
  • Sendinblue: The correct value is include:spf.sendinblue.com.
Important: Always verify the SPF record value in the service provider’s official documentation. Do not rely on outdated information from third-party websites.

The 10-Lookup Limit: A Critical Constraint As mentioned earlier, SPF has a limit of 10 DNS lookups during evaluation. Each `include:` mechanism triggers at least one lookup, and nested `include:` statements can trigger multiple lookups. Exceeding this limit will cause the SPF check to fail, even if the sending server is authorized. This is a common problem when using multiple third-party services.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net include:hs-spf.hubspotemail.net include:spf.sendinblue.com -all
This record includes five `include:` mechanisms. If any of these included records have nested `include:` statements, it’s possible to exceed the 10-lookup limit.

Strategies for Staying Under the Limit:

  • Minimize `include:` statements: Only include the SPF records for services you actively use. Remove any unused or outdated `include:` statements.
  • Flatten your SPF record (Use with Caution): Instead of using `include:`, you can manually add the IP addresses of the sending servers directly to your SPF record using the `ip4:` and `ip6:` mechanisms. However, this is generally not recommended because it requires you to manually update your SPF record whenever the service provider changes their sending infrastructure. It’s also time-consuming and error-prone. This method is generally advised against unless absolutely necessary.
  • Use a dedicated email sending domain or subdomain: If you are using a large number of third-party senders, consider using a separate domain or subdomain (e.g., `mail.example.com`) specifically for sending email. This allows you to create a separate SPF record for that subdomain with only the necessary `include:` statements. This isolates the impact of the 10-lookup limit to that subdomain.
Expert Quote: “The 10-lookup limit is a common pain point with SPF. Regularly review your SPF record and remove any unnecessary `include:` statements. Prioritize the services that send the most critical emails.” – Email Deliverability Consultant

Testing and Monitoring Your SPF Record with Multiple Senders After configuring your SPF record with multiple senders, thorough testing and ongoing monitoring are crucial. Here’s how:

  • Use SPF Record Checkers: Use online SPF record checkers (like MXToolbox) to verify that your SPF record is valid and doesn’t exceed the 10-lookup limit.
  • Send Test Emails: Send test emails from each of your sending sources (Google Workspace, Mailchimp, SendGrid, etc.) to an email address you control (e.g., a Gmail account). Check the email headers to confirm that the SPF check passed.
  • Monitor Email Deliverability: Pay attention to your email deliverability rates. If you notice a sudden drop in deliverability, it could indicate an issue with your SPF record.
  • Use DMARC Reporting: Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) and enable DMARC reporting. DMARC reports provide valuable insights into how your emails are being authenticated and whether SPF and DKIM (DomainKeys Identified Mail) are passing. This allows you to identify and address any authentication issues.

Testing and Validating Your SPF Record

Once you’ve created or modified your SPF record, rigorous testing and validation are essential to ensure its effectiveness. A faulty SPF record can lead to legitimate emails being rejected or marked as spam, negating the benefits of implementing SPF in the first place. This section details various methods for testing and validating your SPF record, providing practical examples and tools to help you identify and resolve any potential issues.

Using Online SPF Record Checkers Online SPF record checkers are the most convenient and readily accessible tools for validating your SPF record. These tools analyze your record for syntax errors, DNS lookup issues, and other common problems. Several reputable options are available:

  • MXToolbox SPF Record Check: https://mxtoolbox.com/spf.aspx – Provides a detailed analysis of your SPF record, including syntax validation, DNS lookup checks, and warnings for common issues like exceeding the 10-lookup limit.
  • Dmarcian SPF Surveyor: https://dmarcian.com/spf-survey/ – Offers a comprehensive SPF record analysis and visualization, highlighting potential issues and providing recommendations for improvement.
  • SPF Check by Agari (now Proofpoint): https://spfcheck.agari.com/ (May require account creation) – Checks the validity and structure of your SPF record.
Example using MXToolbox:

  • Navigate to https://mxtoolbox.com/spf.aspx.
  • Enter your domain name (e.g., example.com) in the “Domain Name” field.
  • Click the “SPF Record Lookup” button.
MXToolbox will display your SPF record and any issues it detects. Look for the following:

  • Syntax Errors: The tool will highlight any syntax errors in your SPF record, such as missing spaces or incorrect qualifiers.
  • Multiple SPF Records: The tool will warn you if you have multiple SPF records, which is invalid and can cause SPF checks to fail.
  • DNS Lookup Issues: The tool will check if all the domains listed in your `include:` mechanisms can be resolved and if you’re exceeding the 10-lookup limit.
  • Warnings: The tool may provide warnings about potential issues, such as using the `ptr` mechanism (which is generally not recommended) or not having a final `all` mechanism.
Analyzing Email Headers for SPF Results A more direct way to test your SPF record is to analyze the email headers of emails sent from your domain. Email headers contain information about the email’s path, authentication results, and other technical details. Most email clients allow you to view the full email headers.

Steps to view email headers in Gmail:

  • Open the email you want to analyze.
  • Click the three dots in the upper right corner of the email.
  • Select “Show original.”
The “Original Message” page will display the full email headers. Look for the “Received-SPF” header. This header indicates the result of the SPF check performed by the receiving mail server.

Possible values for the “Received-SPF” header:

  • Pass: The SPF check passed. The sending server is authorized to send email on behalf of the domain.
  • Fail: The SPF check failed. The sending server is not authorized to send email on behalf of the domain.
  • SoftFail: The SPF check resulted in a soft fail. The sending server is not explicitly authorized, but the email is not necessarily rejected. The recipient server might mark the email as spam.
  • Neutral: The SPF record is neutral (e.g., `?all`). The SPF check doesn’t provide any information about whether the sending server is authorized.
  • None: No SPF record was found for the domain.
  • Error: An error occurred during the SPF check.
Example “Received-SPF” header: 

Received-SPF: pass (google.com: domain of test@example.com designates 203.0.113.123 as permitted sender) client-ip=203.0.113.123; envelope-from=test@example.com;
This header indicates that the SPF check passed. The domain `example.com` designates the IP address `203.0.113.123` as a permitted sender.

If the “Received-SPF” header indicates “Fail” or “SoftFail,” it means there’s an issue with your SPF record. Double-check that you’ve included all your authorized sending sources and that your SPF record is correctly configured.

Using Command-Line Tools for SPF Record Lookup For more advanced users, command-line tools like `dig` or `nslookup` can be used to directly query DNS records, including SPF records. These tools provide more granular control over the DNS lookup process.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

SPF Record Configuration for Google Hosted Email

Ensuring proper email deliverability is crucial for any organization relying on Google Workspace (formerly G Suite). A Sender Policy Framework (SPF) record is a vital DNS record that helps prevent spammers from forging your domain in the “From” address. This article provides a comprehensive guide to configuring an SPF record specifically for Google-hosted email, covering common scenarios, troubleshooting tips, and best practices to maximize email delivery rates and minimize the risk of your emails being marked as spam. We’ll delve into practical examples and provide step-by-step instructions to ensure your SPF record is correctly configured and effective.

Table of Contents:

Understanding SPF and Its Importance

Spf record for google hosted email - Diagram illustrating how SPF works: sender, email server, recipient email server, DNS lookup, SPF record, and email authentication.
SPF, or Sender Policy Framework, is an email authentication method designed to prevent sender address forgery, a common technique used in phishing and spam. It works by allowing domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a recipient mail server receives an email, it checks the SPF record of the sender’s domain. If the sending server is listed in the SPF record, the email is more likely to be considered legitimate. If not, the email might be flagged as spam or rejected outright, depending on the recipient server’s configuration.

Without an SPF record, spammers can easily spoof your domain’s email address, making it appear as if the email originated from you. This can damage your domain’s reputation, leading to legitimate emails being marked as spam. A properly configured SPF record tells receiving mail servers: “These are the only servers authorized to send email from my domain. If an email claims to be from my domain but originates from a different server, it’s likely a forgery.” This dramatically reduces the likelihood of your domain being used for spam and helps ensure that your legitimate emails reach their intended recipients.

Importance of SPF The importance of SPF extends beyond just preventing spam. It directly impacts:
  • Email Deliverability: ISPs and email providers use SPF as one factor in determining whether to deliver emails to the inbox or mark them as spam.
  • Domain Reputation: Protecting your domain from being used in spam campaigns maintains a positive reputation, leading to better deliverability across all email services.
  • Brand Protection: Preventing phishing attacks that impersonate your brand helps maintain customer trust and avoids potential financial or reputational damage.
  • Compliance: Some regulations and industry standards require email authentication measures like SPF.
Neglecting SPF can have serious consequences, including decreased email deliverability, damage to your brand’s reputation, and potential legal repercussions if your domain is used in phishing attacks.

SPF Record Syntax: Key Components An SPF record is a TXT record in your domain’s DNS settings. It follows a specific syntax: 

v=spf1 [mechanisms] [modifiers]
Let’s break down each component:

  • v=spf1: This is the version of SPF being used. It’s mandatory and must be the first element in the record.
  • Mechanisms: These define the authorized sending sources. Common mechanisms include:
    • ip4: Specifies an IPv4 address or range. Example: ip4:192.0.2.0/24
    • ip6: Specifies an IPv6 address or range. Example: ip6:2001:db8::/32
    • a: Specifies the IP address(es) of the domain’s A record. Example: a:example.com
    • mx: Specifies the IP address(es) of the domain’s MX record(s). Example: mx:example.com
    • include: Includes another domain’s SPF record. This is crucial for Google Workspace. Example: include:_spf.google.com
    • exists: Checks if a given domain name resolves. Rarely used directly. Example: exists:%{s}.example.com
  • Qualifiers: Precede each mechanism and determine how the check is handled:
    • + (Pass): Explicitly allows the sending server (default if no qualifier is specified).
    • - (Fail): Explicitly denies the sending server. Recipient servers should reject the email.
    • ~ (SoftFail): Indicates the email might be from an unauthorized source, but the recipient server should accept it with a warning (e.g., mark it as spam).
    • ? (Neutral): Indicates the domain owner makes no assertion about whether the sending server is authorized. Effectively disables SPF checking.
  • Modifiers: Provide additional instructions or information.
    • redirect=: Redirects the SPF check to another domain’s SPF record. Example: redirect=example.net
    • exp=: Provides an explanation string for why an email failed the SPF check (rarely used). Example: exp=email.example.com
  • all: Matches all IP addresses. It’s usually placed at the end of the record and used with a qualifier to define the default behavior for addresses not matched by other mechanisms. Common uses:
    • -all: Fail all unmatched addresses (strict policy).
    • ~all: SoftFail all unmatched addresses (more lenient).
    • ?all: Neutral for all unmatched addresses (effectively disables SPF).
Example SPF Record (Basic for Google Workspace): 

v=spf1 include:_spf.google.com -all
This record states: “Use SPF version 1. Include Google’s SPF records (which list their authorized sending servers). Fail any other sending servers not explicitly authorized.” The `include:_spf.google.com` directive is critical when using Google Workspace, as it delegates the responsibility of specifying Google’s sending servers to Google themselves. They maintain this list, so you don’t have to manually update your SPF record every time Google adds or changes a server.

Important Considerations:

  • Only one SPF record per domain: Having multiple SPF records can cause issues with SPF evaluation. If you need to include multiple sources, combine them into a single record.
  • The 10-lookup limit: SPF records can include nested `include:` mechanisms. However, the total number of DNS lookups performed during an SPF evaluation is limited to 10. Exceeding this limit can cause SPF checks to fail. Try to consolidate your SPF record to minimize lookups.
  • Prioritize security: Use the `-all` mechanism at the end of your record to enforce a strict policy and reject unauthorized emails. If you’re unsure, `~all` (SoftFail) is a safer initial option.

Creating Your SPF Record for Google Workspace

Spf record for google hosted email - Screenshot of a DNS management interface showing the addition of a TXT record with the SPF value.
Creating an SPF record for Google Workspace involves several key steps: identifying your sending sources, constructing the SPF record syntax, adding the record to your domain’s DNS settings, and validating the record’s correctness. This section provides a detailed walkthrough of each step, ensuring a properly configured SPF record for optimal email deliverability.

Step 1: Identifying Your Sending Sources Before creating your SPF record, it’s crucial to identify all the servers and services that send email on behalf of your domain. This includes:

  • Google Workspace Servers: This is the primary source when using Google Workspace for email. You’ll use the include:_spf.google.com mechanism to authorize these servers.
  • Web Servers: If your website sends emails (e.g., contact form submissions, password reset emails), you need to include the IP address of your web server or use the a or mx mechanisms if the server is associated with your domain.
  • Marketing Automation Platforms: If you use services like Mailchimp, SendGrid, or HubSpot, you’ll need to include their SPF records using the include: mechanism they provide.
  • Transactional Email Services: Services like Sendinblue or Amazon SES also require including their SPF records.
  • On-Premise Email Servers: If you have any on-premise email servers that send email for your domain, you need to include their IP addresses or hostnames.
Failing to include all your sending sources in your SPF record can lead to legitimate emails being flagged as spam. Make a comprehensive list before proceeding to the next step.

Step 2: Constructing the SPF Record For Google Workspace, the base SPF record will always include Google’s SPF record. Start with this: 

v=spf1 include:_spf.google.com
Now, add any other sending sources you identified in the previous step. Here are some examples:

  • Adding a web server with IP address 192.0.2.10:
v=spf1 include:_spf.google.com ip4:192.0.2.10 -all
  • Adding Mailchimp: (Replace `servers.mcsv.net` with the correct value for your Mailchimp account if different).
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Adding SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Important: Always place the `include:_spf.google.com` directive *before* any other `include:` directives. This is a best practice to ensure that Google’s SPF records are evaluated first.

Finally, add the `all` mechanism to define the default behavior. Using `-all` is recommended for a strict policy, but `~all` is a safer starting point if you’re unsure: 

v=spf1 include:_spf.google.com include:servers.mcsv.net -all
This complete SPF record allows Google Workspace servers and Mailchimp servers to send email on behalf of your domain and fails any other sending servers.

Step 3: Adding the SPF Record to Your DNS Settings To add the SPF record, you’ll need to access your domain’s DNS management interface. This is typically provided by your domain registrar (e.g., GoDaddy, Namecheap, Google Domains) or your hosting provider. The exact steps vary depending on the provider, but the general process is:

  • Log in to your domain registrar or hosting provider’s control panel.
  • Navigate to the DNS management section. This might be called “DNS Zone Editor,” “DNS Records,” or something similar.
  • Create a new TXT record.
  • Enter the following values:
    • Host/Name: Enter @ or leave it blank to apply the record to the root domain (e.g., example.com). If you’re creating the record for a subdomain (e.g., mail.example.com), enter the subdomain.
    • Type: Select TXT.
    • Value/Text: Enter the SPF record you constructed in Step 2 (e.g., v=spf1 include:_spf.google.com include:servers.mcsv.net -all).
    • TTL (Time to Live): This determines how long DNS servers cache the record. The default TTL is usually fine (e.g., 3600 seconds or 1 hour).
  • Save the record.
Example using Google Domains:

  • Log in to Google Domains.
  • Select your domain.
  • Click on “DNS.”
  • Scroll down to “Custom resource records.”
  • Enter the following:
    • Name: @
    • Type: TXT
    • TTL: 3600
    • Data: v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Click “Add.”
Important: DNS changes can take up to 48 hours to propagate across the internet, although it’s often much faster. During this time, some email servers might use the old SPF record (or no SPF record), while others use the new one.

Step 4: Validating the SPF Record After adding the SPF record, it’s essential to validate its correctness. You can use online SPF record checkers to verify that the record is valid and doesn’t contain any errors. Here are a few popular options:

Simply enter your domain name into the tool, and it will check the SPF record for syntax errors, DNS lookup issues, and other potential problems. Pay close attention to any warnings or errors and correct them accordingly.

Example using MXToolbox:

The tool will display the SPF record and any issues it finds. For example, it might warn if you have multiple SPF records or if you’re exceeding the 10-lookup limit.

Expert Tip: After updating your SPF record, send test emails from all your sending sources (e.g., your web server, your marketing automation platform) to an email address you control (e.g., a Gmail account). Check the email headers to see if the SPF check passed. In Gmail, you can view the headers by opening the email, clicking on the three dots in the upper right corner, and selecting “Show original.” Look for the “Received-SPF” header. It should say “pass” if the SPF check passed.

Handling Multiple Senders and Third-Party Services

In today’s digital landscape, it’s common for organizations to use multiple services for sending emails, including Google Workspace, marketing automation platforms, transactional email services, and more. Managing SPF records for these diverse senders can be complex. This section provides guidance on how to create a comprehensive SPF record that authorizes all your legitimate sending sources while maintaining optimal email deliverability.

The `include:` Mechanism: Delegation is Key The `include:` mechanism is the cornerstone of managing multiple senders. It allows you to delegate the responsibility of specifying authorized sending servers to the third-party service itself. Instead of manually adding IP addresses for each service, you simply include their SPF record in your own. This makes maintenance much easier, as the service provider is responsible for keeping their SPF record up-to-date.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all
This record authorizes Google Workspace, Mailchimp (using the `servers.mcsv.net` SPF record), and SendGrid to send email on behalf of your domain. If Mailchimp or SendGrid changes their sending infrastructure, you don’t need to update your SPF record; they will update their own SPF record, and your record will automatically reflect those changes.

Finding the Correct `include:` Value Each third-party service has its own specific SPF record that you need to include. The correct value is usually documented in their help documentation or setup guides. Here’s how to find the SPF record for some common services:

  • Mailchimp: Search their help documentation for “SPF record” or “email authentication.” The correct value is usually include:servers.mcsv.net (but verify this for your specific account).
  • SendGrid: Search their help documentation for “SPF record.” The correct value is include:sendgrid.net.
  • HubSpot: Search their help documentation for “SPF record.” The correct value is include:hs-spf.hubspotemail.net.
  • Amazon SES: The correct value depends on the AWS region you’re using. Refer to the Amazon SES documentation for the correct include: value for your region (e.g., include:amazonses.com for the default region).
  • Sendinblue: The correct value is include:spf.sendinblue.com.
Important: Always verify the SPF record value in the service provider’s official documentation. Do not rely on outdated information from third-party websites.

The 10-Lookup Limit: A Critical Constraint As mentioned earlier, SPF has a limit of 10 DNS lookups during evaluation. Each `include:` mechanism triggers at least one lookup, and nested `include:` statements can trigger multiple lookups. Exceeding this limit will cause the SPF check to fail, even if the sending server is authorized. This is a common problem when using multiple third-party services.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net include:hs-spf.hubspotemail.net include:spf.sendinblue.com -all
This record includes five `include:` mechanisms. If any of these included records have nested `include:` statements, it’s possible to exceed the 10-lookup limit.

Strategies for Staying Under the Limit:

  • Minimize `include:` statements: Only include the SPF records for services you actively use. Remove any unused or outdated `include:` statements.
  • Flatten your SPF record (Use with Caution): Instead of using `include:`, you can manually add the IP addresses of the sending servers directly to your SPF record using the `ip4:` and `ip6:` mechanisms. However, this is generally not recommended because it requires you to manually update your SPF record whenever the service provider changes their sending infrastructure. It’s also time-consuming and error-prone. This method is generally advised against unless absolutely necessary.
  • Use a dedicated email sending domain or subdomain: If you are using a large number of third-party senders, consider using a separate domain or subdomain (e.g., `mail.example.com`) specifically for sending email. This allows you to create a separate SPF record for that subdomain with only the necessary `include:` statements. This isolates the impact of the 10-lookup limit to that subdomain.
Expert Quote: “The 10-lookup limit is a common pain point with SPF. Regularly review your SPF record and remove any unnecessary `include:` statements. Prioritize the services that send the most critical emails.” – Email Deliverability Consultant

Testing and Monitoring Your SPF Record with Multiple Senders After configuring your SPF record with multiple senders, thorough testing and ongoing monitoring are crucial. Here’s how:

  • Use SPF Record Checkers: Use online SPF record checkers (like MXToolbox) to verify that your SPF record is valid and doesn’t exceed the 10-lookup limit.
  • Send Test Emails: Send test emails from each of your sending sources (Google Workspace, Mailchimp, SendGrid, etc.) to an email address you control (e.g., a Gmail account). Check the email headers to confirm that the SPF check passed.
  • Monitor Email Deliverability: Pay attention to your email deliverability rates. If you notice a sudden drop in deliverability, it could indicate an issue with your SPF record.
  • Use DMARC Reporting: Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) and enable DMARC reporting. DMARC reports provide valuable insights into how your emails are being authenticated and whether SPF and DKIM (DomainKeys Identified Mail) are passing. This allows you to identify and address any authentication issues.

Testing and Validating Your SPF Record

Once you’ve created or modified your SPF record, rigorous testing and validation are essential to ensure its effectiveness. A faulty SPF record can lead to legitimate emails being rejected or marked as spam, negating the benefits of implementing SPF in the first place. This section details various methods for testing and validating your SPF record, providing practical examples and tools to help you identify and resolve any potential issues.

Using Online SPF Record Checkers Online SPF record checkers are the most convenient and readily accessible tools for validating your SPF record. These tools analyze your record for syntax errors, DNS lookup issues, and other common problems. Several reputable options are available:

  • MXToolbox SPF Record Check: https://mxtoolbox.com/spf.aspx – Provides a detailed analysis of your SPF record, including syntax validation, DNS lookup checks, and warnings for common issues like exceeding the 10-lookup limit.
  • Dmarcian SPF Surveyor: https://dmarcian.com/spf-survey/ – Offers a comprehensive SPF record analysis and visualization, highlighting potential issues and providing recommendations for improvement.
  • SPF Check by Agari (now Proofpoint): https://spfcheck.agari.com/ (May require account creation) – Checks the validity and structure of your SPF record.
Example using MXToolbox:

  • Navigate to https://mxtoolbox.com/spf.aspx.
  • Enter your domain name (e.g., example.com) in the “Domain Name” field.
  • Click the “SPF Record Lookup” button.
MXToolbox will display your SPF record and any issues it detects. Look for the following:

  • Syntax Errors: The tool will highlight any syntax errors in your SPF record, such as missing spaces or incorrect qualifiers.
  • Multiple SPF Records: The tool will warn you if you have multiple SPF records, which is invalid and can cause SPF checks to fail.
  • DNS Lookup Issues: The tool will check if all the domains listed in your `include:` mechanisms can be resolved and if you’re exceeding the 10-lookup limit.
  • Warnings: The tool may provide warnings about potential issues, such as using the `ptr` mechanism (which is generally not recommended) or not having a final `all` mechanism.
Analyzing Email Headers for SPF Results A more direct way to test your SPF record is to analyze the email headers of emails sent from your domain. Email headers contain information about the email’s path, authentication results, and other technical details. Most email clients allow you to view the full email headers.

Steps to view email headers in Gmail:

  • Open the email you want to analyze.
  • Click the three dots in the upper right corner of the email.
  • Select “Show original.”
The “Original Message” page will display the full email headers. Look for the “Received-SPF” header. This header indicates the result of the SPF check performed by the receiving mail server.

Possible values for the “Received-SPF” header:

  • Pass: The SPF check passed. The sending server is authorized to send email on behalf of the domain.
  • Fail: The SPF check failed. The sending server is not authorized to send email on behalf of the domain.
  • SoftFail: The SPF check resulted in a soft fail. The sending server is not explicitly authorized, but the email is not necessarily rejected. The recipient server might mark the email as spam.
  • Neutral: The SPF record is neutral (e.g., `?all`). The SPF check doesn’t provide any information about whether the sending server is authorized.
  • None: No SPF record was found for the domain.
  • Error: An error occurred during the SPF check.
Example “Received-SPF” header: 

Received-SPF: pass (google.com: domain of test@example.com designates 203.0.113.123 as permitted sender) client-ip=203.0.113.123; envelope-from=test@example.com;
This header indicates that the SPF check passed. The domain `example.com` designates the IP address `203.0.113.123` as a permitted sender.

If the “Received-SPF” header indicates “Fail” or “SoftFail,” it means there’s an issue with your SPF record. Double-check that you’ve included all your authorized sending sources and that your SPF record is correctly configured.

Using Command-Line Tools for SPF Record Lookup For more advanced users, command-line tools like `dig` or `nslookup` can be used to directly query DNS records, including SPF records. These tools provide more granular control over the DNS lookup process.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

Using Command-Line Tools for SPF Record Lookup For more advanced users, command-line tools like `dig` or `nslookup` can be used to directly query DNS records, including SPF records. These tools provide more granular control over the DNS lookup process.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

SPF Record Configuration for Google Hosted Email

Ensuring proper email deliverability is crucial for any organization relying on Google Workspace (formerly G Suite). A Sender Policy Framework (SPF) record is a vital DNS record that helps prevent spammers from forging your domain in the “From” address. This article provides a comprehensive guide to configuring an SPF record specifically for Google-hosted email, covering common scenarios, troubleshooting tips, and best practices to maximize email delivery rates and minimize the risk of your emails being marked as spam. We’ll delve into practical examples and provide step-by-step instructions to ensure your SPF record is correctly configured and effective.

Table of Contents:

Understanding SPF and Its Importance

Spf record for google hosted email - Diagram illustrating how SPF works: sender, email server, recipient email server, DNS lookup, SPF record, and email authentication.
SPF, or Sender Policy Framework, is an email authentication method designed to prevent sender address forgery, a common technique used in phishing and spam. It works by allowing domain owners to specify which mail servers are authorized to send email on behalf of their domain. When a recipient mail server receives an email, it checks the SPF record of the sender’s domain. If the sending server is listed in the SPF record, the email is more likely to be considered legitimate. If not, the email might be flagged as spam or rejected outright, depending on the recipient server’s configuration.

Without an SPF record, spammers can easily spoof your domain’s email address, making it appear as if the email originated from you. This can damage your domain’s reputation, leading to legitimate emails being marked as spam. A properly configured SPF record tells receiving mail servers: “These are the only servers authorized to send email from my domain. If an email claims to be from my domain but originates from a different server, it’s likely a forgery.” This dramatically reduces the likelihood of your domain being used for spam and helps ensure that your legitimate emails reach their intended recipients.

Importance of SPF The importance of SPF extends beyond just preventing spam. It directly impacts:
  • Email Deliverability: ISPs and email providers use SPF as one factor in determining whether to deliver emails to the inbox or mark them as spam.
  • Domain Reputation: Protecting your domain from being used in spam campaigns maintains a positive reputation, leading to better deliverability across all email services.
  • Brand Protection: Preventing phishing attacks that impersonate your brand helps maintain customer trust and avoids potential financial or reputational damage.
  • Compliance: Some regulations and industry standards require email authentication measures like SPF.
Neglecting SPF can have serious consequences, including decreased email deliverability, damage to your brand’s reputation, and potential legal repercussions if your domain is used in phishing attacks.

SPF Record Syntax: Key Components An SPF record is a TXT record in your domain’s DNS settings. It follows a specific syntax: 

v=spf1 [mechanisms] [modifiers]
Let’s break down each component:

  • v=spf1: This is the version of SPF being used. It’s mandatory and must be the first element in the record.
  • Mechanisms: These define the authorized sending sources. Common mechanisms include:
    • ip4: Specifies an IPv4 address or range. Example: ip4:192.0.2.0/24
    • ip6: Specifies an IPv6 address or range. Example: ip6:2001:db8::/32
    • a: Specifies the IP address(es) of the domain’s A record. Example: a:example.com
    • mx: Specifies the IP address(es) of the domain’s MX record(s). Example: mx:example.com
    • include: Includes another domain’s SPF record. This is crucial for Google Workspace. Example: include:_spf.google.com
    • exists: Checks if a given domain name resolves. Rarely used directly. Example: exists:%{s}.example.com
  • Qualifiers: Precede each mechanism and determine how the check is handled:
    • + (Pass): Explicitly allows the sending server (default if no qualifier is specified).
    • - (Fail): Explicitly denies the sending server. Recipient servers should reject the email.
    • ~ (SoftFail): Indicates the email might be from an unauthorized source, but the recipient server should accept it with a warning (e.g., mark it as spam).
    • ? (Neutral): Indicates the domain owner makes no assertion about whether the sending server is authorized. Effectively disables SPF checking.
  • Modifiers: Provide additional instructions or information.
    • redirect=: Redirects the SPF check to another domain’s SPF record. Example: redirect=example.net
    • exp=: Provides an explanation string for why an email failed the SPF check (rarely used). Example: exp=email.example.com
  • all: Matches all IP addresses. It’s usually placed at the end of the record and used with a qualifier to define the default behavior for addresses not matched by other mechanisms. Common uses:
    • -all: Fail all unmatched addresses (strict policy).
    • ~all: SoftFail all unmatched addresses (more lenient).
    • ?all: Neutral for all unmatched addresses (effectively disables SPF).
Example SPF Record (Basic for Google Workspace): 

v=spf1 include:_spf.google.com -all
This record states: “Use SPF version 1. Include Google’s SPF records (which list their authorized sending servers). Fail any other sending servers not explicitly authorized.” The `include:_spf.google.com` directive is critical when using Google Workspace, as it delegates the responsibility of specifying Google’s sending servers to Google themselves. They maintain this list, so you don’t have to manually update your SPF record every time Google adds or changes a server.

Important Considerations:

  • Only one SPF record per domain: Having multiple SPF records can cause issues with SPF evaluation. If you need to include multiple sources, combine them into a single record.
  • The 10-lookup limit: SPF records can include nested `include:` mechanisms. However, the total number of DNS lookups performed during an SPF evaluation is limited to 10. Exceeding this limit can cause SPF checks to fail. Try to consolidate your SPF record to minimize lookups.
  • Prioritize security: Use the `-all` mechanism at the end of your record to enforce a strict policy and reject unauthorized emails. If you’re unsure, `~all` (SoftFail) is a safer initial option.

Creating Your SPF Record for Google Workspace

Spf record for google hosted email - Screenshot of a DNS management interface showing the addition of a TXT record with the SPF value.
Creating an SPF record for Google Workspace involves several key steps: identifying your sending sources, constructing the SPF record syntax, adding the record to your domain’s DNS settings, and validating the record’s correctness. This section provides a detailed walkthrough of each step, ensuring a properly configured SPF record for optimal email deliverability.

Step 1: Identifying Your Sending Sources Before creating your SPF record, it’s crucial to identify all the servers and services that send email on behalf of your domain. This includes:

  • Google Workspace Servers: This is the primary source when using Google Workspace for email. You’ll use the include:_spf.google.com mechanism to authorize these servers.
  • Web Servers: If your website sends emails (e.g., contact form submissions, password reset emails), you need to include the IP address of your web server or use the a or mx mechanisms if the server is associated with your domain.
  • Marketing Automation Platforms: If you use services like Mailchimp, SendGrid, or HubSpot, you’ll need to include their SPF records using the include: mechanism they provide.
  • Transactional Email Services: Services like Sendinblue or Amazon SES also require including their SPF records.
  • On-Premise Email Servers: If you have any on-premise email servers that send email for your domain, you need to include their IP addresses or hostnames.
Failing to include all your sending sources in your SPF record can lead to legitimate emails being flagged as spam. Make a comprehensive list before proceeding to the next step.

Step 2: Constructing the SPF Record For Google Workspace, the base SPF record will always include Google’s SPF record. Start with this: 

v=spf1 include:_spf.google.com
Now, add any other sending sources you identified in the previous step. Here are some examples:

  • Adding a web server with IP address 192.0.2.10:
v=spf1 include:_spf.google.com ip4:192.0.2.10 -all
  • Adding Mailchimp: (Replace `servers.mcsv.net` with the correct value for your Mailchimp account if different).
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Adding SendGrid:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Important: Always place the `include:_spf.google.com` directive *before* any other `include:` directives. This is a best practice to ensure that Google’s SPF records are evaluated first.

Finally, add the `all` mechanism to define the default behavior. Using `-all` is recommended for a strict policy, but `~all` is a safer starting point if you’re unsure: 

v=spf1 include:_spf.google.com include:servers.mcsv.net -all
This complete SPF record allows Google Workspace servers and Mailchimp servers to send email on behalf of your domain and fails any other sending servers.

Step 3: Adding the SPF Record to Your DNS Settings To add the SPF record, you’ll need to access your domain’s DNS management interface. This is typically provided by your domain registrar (e.g., GoDaddy, Namecheap, Google Domains) or your hosting provider. The exact steps vary depending on the provider, but the general process is:

  • Log in to your domain registrar or hosting provider’s control panel.
  • Navigate to the DNS management section. This might be called “DNS Zone Editor,” “DNS Records,” or something similar.
  • Create a new TXT record.
  • Enter the following values:
    • Host/Name: Enter @ or leave it blank to apply the record to the root domain (e.g., example.com). If you’re creating the record for a subdomain (e.g., mail.example.com), enter the subdomain.
    • Type: Select TXT.
    • Value/Text: Enter the SPF record you constructed in Step 2 (e.g., v=spf1 include:_spf.google.com include:servers.mcsv.net -all).
    • TTL (Time to Live): This determines how long DNS servers cache the record. The default TTL is usually fine (e.g., 3600 seconds or 1 hour).
  • Save the record.
Example using Google Domains:

  • Log in to Google Domains.
  • Select your domain.
  • Click on “DNS.”
  • Scroll down to “Custom resource records.”
  • Enter the following:
    • Name: @
    • Type: TXT
    • TTL: 3600
    • Data: v=spf1 include:_spf.google.com include:servers.mcsv.net -all
  • Click “Add.”
Important: DNS changes can take up to 48 hours to propagate across the internet, although it’s often much faster. During this time, some email servers might use the old SPF record (or no SPF record), while others use the new one.

Step 4: Validating the SPF Record After adding the SPF record, it’s essential to validate its correctness. You can use online SPF record checkers to verify that the record is valid and doesn’t contain any errors. Here are a few popular options:

Simply enter your domain name into the tool, and it will check the SPF record for syntax errors, DNS lookup issues, and other potential problems. Pay close attention to any warnings or errors and correct them accordingly.

Example using MXToolbox:

The tool will display the SPF record and any issues it finds. For example, it might warn if you have multiple SPF records or if you’re exceeding the 10-lookup limit.

Expert Tip: After updating your SPF record, send test emails from all your sending sources (e.g., your web server, your marketing automation platform) to an email address you control (e.g., a Gmail account). Check the email headers to see if the SPF check passed. In Gmail, you can view the headers by opening the email, clicking on the three dots in the upper right corner, and selecting “Show original.” Look for the “Received-SPF” header. It should say “pass” if the SPF check passed.

Handling Multiple Senders and Third-Party Services

In today’s digital landscape, it’s common for organizations to use multiple services for sending emails, including Google Workspace, marketing automation platforms, transactional email services, and more. Managing SPF records for these diverse senders can be complex. This section provides guidance on how to create a comprehensive SPF record that authorizes all your legitimate sending sources while maintaining optimal email deliverability.

The `include:` Mechanism: Delegation is Key The `include:` mechanism is the cornerstone of managing multiple senders. It allows you to delegate the responsibility of specifying authorized sending servers to the third-party service itself. Instead of manually adding IP addresses for each service, you simply include their SPF record in your own. This makes maintenance much easier, as the service provider is responsible for keeping their SPF record up-to-date.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net -all
This record authorizes Google Workspace, Mailchimp (using the `servers.mcsv.net` SPF record), and SendGrid to send email on behalf of your domain. If Mailchimp or SendGrid changes their sending infrastructure, you don’t need to update your SPF record; they will update their own SPF record, and your record will automatically reflect those changes.

Finding the Correct `include:` Value Each third-party service has its own specific SPF record that you need to include. The correct value is usually documented in their help documentation or setup guides. Here’s how to find the SPF record for some common services:

  • Mailchimp: Search their help documentation for “SPF record” or “email authentication.” The correct value is usually include:servers.mcsv.net (but verify this for your specific account).
  • SendGrid: Search their help documentation for “SPF record.” The correct value is include:sendgrid.net.
  • HubSpot: Search their help documentation for “SPF record.” The correct value is include:hs-spf.hubspotemail.net.
  • Amazon SES: The correct value depends on the AWS region you’re using. Refer to the Amazon SES documentation for the correct include: value for your region (e.g., include:amazonses.com for the default region).
  • Sendinblue: The correct value is include:spf.sendinblue.com.
Important: Always verify the SPF record value in the service provider’s official documentation. Do not rely on outdated information from third-party websites.

The 10-Lookup Limit: A Critical Constraint As mentioned earlier, SPF has a limit of 10 DNS lookups during evaluation. Each `include:` mechanism triggers at least one lookup, and nested `include:` statements can trigger multiple lookups. Exceeding this limit will cause the SPF check to fail, even if the sending server is authorized. This is a common problem when using multiple third-party services.

Example: 

v=spf1 include:_spf.google.com include:servers.mcsv.net include:sendgrid.net include:hs-spf.hubspotemail.net include:spf.sendinblue.com -all
This record includes five `include:` mechanisms. If any of these included records have nested `include:` statements, it’s possible to exceed the 10-lookup limit.

Strategies for Staying Under the Limit:

  • Minimize `include:` statements: Only include the SPF records for services you actively use. Remove any unused or outdated `include:` statements.
  • Flatten your SPF record (Use with Caution): Instead of using `include:`, you can manually add the IP addresses of the sending servers directly to your SPF record using the `ip4:` and `ip6:` mechanisms. However, this is generally not recommended because it requires you to manually update your SPF record whenever the service provider changes their sending infrastructure. It’s also time-consuming and error-prone. This method is generally advised against unless absolutely necessary.
  • Use a dedicated email sending domain or subdomain: If you are using a large number of third-party senders, consider using a separate domain or subdomain (e.g., `mail.example.com`) specifically for sending email. This allows you to create a separate SPF record for that subdomain with only the necessary `include:` statements. This isolates the impact of the 10-lookup limit to that subdomain.
Expert Quote: “The 10-lookup limit is a common pain point with SPF. Regularly review your SPF record and remove any unnecessary `include:` statements. Prioritize the services that send the most critical emails.” – Email Deliverability Consultant

Testing and Monitoring Your SPF Record with Multiple Senders After configuring your SPF record with multiple senders, thorough testing and ongoing monitoring are crucial. Here’s how:

  • Use SPF Record Checkers: Use online SPF record checkers (like MXToolbox) to verify that your SPF record is valid and doesn’t exceed the 10-lookup limit.
  • Send Test Emails: Send test emails from each of your sending sources (Google Workspace, Mailchimp, SendGrid, etc.) to an email address you control (e.g., a Gmail account). Check the email headers to confirm that the SPF check passed.
  • Monitor Email Deliverability: Pay attention to your email deliverability rates. If you notice a sudden drop in deliverability, it could indicate an issue with your SPF record.
  • Use DMARC Reporting: Implement DMARC (Domain-based Message Authentication, Reporting & Conformance) and enable DMARC reporting. DMARC reports provide valuable insights into how your emails are being authenticated and whether SPF and DKIM (DomainKeys Identified Mail) are passing. This allows you to identify and address any authentication issues.

Testing and Validating Your SPF Record

Once you’ve created or modified your SPF record, rigorous testing and validation are essential to ensure its effectiveness. A faulty SPF record can lead to legitimate emails being rejected or marked as spam, negating the benefits of implementing SPF in the first place. This section details various methods for testing and validating your SPF record, providing practical examples and tools to help you identify and resolve any potential issues.

Using Online SPF Record Checkers Online SPF record checkers are the most convenient and readily accessible tools for validating your SPF record. These tools analyze your record for syntax errors, DNS lookup issues, and other common problems. Several reputable options are available:

  • MXToolbox SPF Record Check: https://mxtoolbox.com/spf.aspx – Provides a detailed analysis of your SPF record, including syntax validation, DNS lookup checks, and warnings for common issues like exceeding the 10-lookup limit.
  • Dmarcian SPF Surveyor: https://dmarcian.com/spf-survey/ – Offers a comprehensive SPF record analysis and visualization, highlighting potential issues and providing recommendations for improvement.
  • SPF Check by Agari (now Proofpoint): https://spfcheck.agari.com/ (May require account creation) – Checks the validity and structure of your SPF record.
Example using MXToolbox:

  • Navigate to https://mxtoolbox.com/spf.aspx.
  • Enter your domain name (e.g., example.com) in the “Domain Name” field.
  • Click the “SPF Record Lookup” button.
MXToolbox will display your SPF record and any issues it detects. Look for the following:

  • Syntax Errors: The tool will highlight any syntax errors in your SPF record, such as missing spaces or incorrect qualifiers.
  • Multiple SPF Records: The tool will warn you if you have multiple SPF records, which is invalid and can cause SPF checks to fail.
  • DNS Lookup Issues: The tool will check if all the domains listed in your `include:` mechanisms can be resolved and if you’re exceeding the 10-lookup limit.
  • Warnings: The tool may provide warnings about potential issues, such as using the `ptr` mechanism (which is generally not recommended) or not having a final `all` mechanism.
Analyzing Email Headers for SPF Results A more direct way to test your SPF record is to analyze the email headers of emails sent from your domain. Email headers contain information about the email’s path, authentication results, and other technical details. Most email clients allow you to view the full email headers.

Steps to view email headers in Gmail:

  • Open the email you want to analyze.
  • Click the three dots in the upper right corner of the email.
  • Select “Show original.”
The “Original Message” page will display the full email headers. Look for the “Received-SPF” header. This header indicates the result of the SPF check performed by the receiving mail server.

Possible values for the “Received-SPF” header:

  • Pass: The SPF check passed. The sending server is authorized to send email on behalf of the domain.
  • Fail: The SPF check failed. The sending server is not authorized to send email on behalf of the domain.
  • SoftFail: The SPF check resulted in a soft fail. The sending server is not explicitly authorized, but the email is not necessarily rejected. The recipient server might mark the email as spam.
  • Neutral: The SPF record is neutral (e.g., `?all`). The SPF check doesn’t provide any information about whether the sending server is authorized.
  • None: No SPF record was found for the domain.
  • Error: An error occurred during the SPF check.
Example “Received-SPF” header: 

Received-SPF: pass (google.com: domain of test@example.com designates 203.0.113.123 as permitted sender) client-ip=203.0.113.123; envelope-from=test@example.com;
This header indicates that the SPF check passed. The domain `example.com` designates the IP address `203.0.113.123` as a permitted sender.

If the “Received-SPF” header indicates “Fail” or “SoftFail,” it means there’s an issue with your SPF record. Double-check that you’ve included all your authorized sending sources and that your SPF record is correctly configured.

Using Command-Line Tools for SPF Record Lookup For more advanced users, command-line tools like `dig` or `nslookup` can be used to directly query DNS records, including SPF records. These tools provide more granular control over the DNS lookup process.

Example using `dig` (Linux/macOS): 

dig txt example.com
This command queries the TXT records for `example.com`. The output will include your SPF record if it’s configured correctly.

Example using `nslookup` (Windows): 

nslookup -type=txt example.com
This command performs the same function as the `dig` command, but using the `nslookup` tool available on Windows.

The output of these commands will display the TXT records for your domain, including your SPF record. You can then manually verify that the record is correct and doesn’t contain any errors.

Testing SPF with DMARC Analyzers Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) provides a powerful way to monitor and improve your email authentication, including SPF. DMARC builds upon SPF and DKIM to provide a more robust authentication framework.

DMARC analyzers, such as those offered by Dmarcian and other vendors, process DMARC reports to provide insights into your email authentication performance. These reports show you:

  • Which sending sources are passing or failing SPF and DKIM checks.
  • The volume of email being sent from each source.
  • Any potential authentication issues.
By analyzing DMARC reports, you can identify any misconfigured SPF records or unauthorized sending sources. This allows you to take corrective action to improve your email deliverability and protect your domain from spoofing. DMARC reports are typically sent to an email address specified in your DMARC record (e.g., `ruf=mailto:dmarc-reports@example.com`).

In summary, testing and validating your SPF record is an ongoing process. Use a combination of online SPF record checkers, email header analysis, command-line tools, and DMARC analyzers to ensure that your SPF record is correctly configured and effectively protecting your domain from email spoofing.

DNS setupemail deliverabilityEmail SecurityGoogle WorkspaceSPF record

Share this article