An SPF (Sender Policy Framework) record tells the world which mail servers are allowed to send email on behalf of your domain. Without it, spammers can forge emails that appear to come from you. This guide walks you through creating and publishing a valid SPF record.

Step 1 — Identify all mail sources

List every service that sends email using your domain. Common sources include:

Your own mail server (e.g., mail.yourdomain.com)
Google Workspace — include:_spf.google.com
Microsoft 365 — include:spf.protection.outlook.com
SendGrid — include:sendgrid.net
Mailgun — include:mailgun.org
Amazon SES — include:amazonses.com

Step 2 — Build the record

Use our SPF generator or construct it manually. A typical record looks like this:

v=spf1 mx include:_spf.google.com include:sendgrid.net ~all

Components explained:

v=spf1 — Required version tag
mx — Authorizes your MX servers
include:... — Authorizes third-party services
~all — Softfail (mark unauthorized mail as suspicious)
-all — Hardfail (reject unauthorized mail entirely)

Step 3 — Publish in DNS

Type: TXT
Name/Host: @ or leave blank (root domain)
Value: your complete SPF string
TTL: 300 seconds (5 minutes) during testing, then 3600 or higher

Step 4 — Verify with Postalfix

Wait a few minutes for DNS propagation, then use our DNS lookup tool to confirm your SPF record is live and valid.

Verify SPF record now →

Important tips

Never publish more than one SPF TXT record. If you need multiple sources, combine them into a single record with multiple include statements.
Avoid using +all or no qualifier before all — this allows anyone to send as your domain.
Keep your record under 10 DNS lookups to avoid exceeding SPF evaluation limits.
Use ~all during testing, then switch to -all once you are confident.

SPF Record Setup Guide

Step 1 — Identify all mail sources

Step 2 — Build the record

Step 3 — Publish in DNS

Step 4 — Verify with Postalfix

Important tips

Related Tools