The average email deliverability rate on various email marketing platforms was 84.2%, according to EmailToolTester.
An SPF record increases your credibility as an email sender.
With an SPF record set up, email service providers will consider your emails more secure, making it more likely that your emails stay out of spam.
In this article, we’ll discuss what SPF records are, what they do, and how to set them up for various providers.
Generate your SPF record for free now
Create a valid SPF record for your domain in a few seconds with our free tool.
What is an SPF record?
An SPF record (Sender Policy Framework) is an email authentication system that mail servers use to make sure that emails that appear to come from your domain actually do come from you.
SPF records allow you to specify which servers can send emails on your domain’s behalf.
If unauthorized servers claim to be sending from your domain, an SPF record prevents the emails from getting authorized.
It’s designed to stop phishing attempts and scammers from sending fake messages that claim to be from legit domains.
Technically, you don’t have to set up an SPF record in order to send emails. But it adds a layer of security to your campaigns, which makes your domain more trustworthy to ISPs (internet service providers), and improves your deliverability.
That’s why it’s so important to set up an SPF record: to protect your domain from spoofing, and to keep your cold emails out of spam.
What does an SPF record do?
An SPF record simply identifies the mail servers that are allowed to send messages from your domain.
It’s a type of DNS TXT (Domain Name System ”text”) with a list of APIs, software, etc., that you’ve approved to send messages on your behalf.
It looks like this
v=spf1 include:_spf.google.com ~all
The syntax is divided into a version prefix and an include tag that precedes a server that can send email through your domain.
The version prefix simply explains that this TXT record is to be used for SPF checking, and the include holds the authorized server.
The “~all” part instructs receiving serves on what todo if authorization fails.
Here are the primary settings for the “all” tag:
- + Pass (+all) – An email sent with a server/IP address that doesn’t match with the SPF record, will get a pass anyway.
- – Hard Fail (-all) – An email sent with a server/IP address that doesn’t match with the SPF record, will not pass SPF authentication.
- ~ Soft Fail (~all) an email sent with a server/IP address that doesn’t match with the SPF record will soft fail SPF, which means that the host should accept the mail, but mark it as an SPF failure.
Create an SPF record in 10 easy steps
The SPF record needs to be published in your DNS by your DNS manager.
If you are wondering how to create an SPF TXT record, that’s your go-to procedure.
Here’s a step-by-step process for setting up your SPF record:
Step 1. Log in to your domain account at your domain host provider;
Step 2. Locate the page for updating your domain’s DNS records (something like DNS management or name server management);
Step 3. Select the domain of which you want to modify the records;
Step 4. Open the DNS manager;
Step 5. Log in to your domain account at your domain host provider;
Step 6. Create a new TXT record in the TXT (text) section;
Step 7. Set the Host field to the name of your domain;
Step 8. Fill the TXT Value field with your SPF record (i.e. “v=spf1 a mx include: exampledomain.com ~all””);
Step 9. Specify the Time To Live (TTL), enter 3600 or leave the default;
Step 10. Click “Save” or “Add Record” to publish the SPF TXT record into your DNS.
Your new SPF record can take up to 48 hours to go into effect. Contact your domain host for help adding TXT records,
Test your SPF record with the SPF record checker
Setting up an SPF record is an essential part of your technical settings.
Read more about how to check and validate your SPF record or directly test your SPF record using the SPF record Checker.
Do you need to include lemlist in the SPF setup?
No. You should include the applications that send emails on your behalf but use their own SMTP in your SPF record.
lemlist uses your SMTP to send your email, so it’s more of a super-powered online email client than a bulk email-sending app.
However, the deliverability of emails sent by lemlist depends on the reputation of your domain.
Setting SPF ( and the next two records) will help you protect your domain’s reputation and thus improve the deliverability of your emails.
Can you create multiple SPF records?
No, as it could generate the “SPF PermError” and harm your deliverability, so always check for existing SPF records for your domain before adding a new one.
However, you can add multiple servers to the same SPF record.
All you have to do is copy/paste your new SPF record in front of the old one and separate them with a single space.
For example, to add Outlook to the SPF example we included in the previous section, it would look like this:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
How do I check my SPF record with lemlist?
If you’re using lemlist, it takes less than a minute to check if your SPF record is good to go.
(If you don’t have an account yet, you can sign up here, for free.)
First, go to your dashboard and find the Health tab, under Reports
Next, open the DNS Checks tab and click on “Refresh checks.”
In a couple seconds, you’ll get a full overview of not only your SPF record, but also your MX record exchanges, DMARC record, Email tests, and your Spamassassin score.
Of course, if you see the green “All good” sign, then your SPF formatting is already set up and protecting you from scammers and the spam folder.
If it needs configuring, all you have to do is follow the steps below.
How to set up SPF record for Microsoft Office 365
If Microsoft Office 365 is your email provider, here’s how to set up your SPF record for the relevant server.
We’ll start with a simple process you can follow for any domain provider, then add more specific details for popular domain providers like Namecheap, Cloudflare, and Bluehost.
How to set up Office 365 SPF record – for all domain providers
No matter what domain hosting you use right now, there are only a few steps to follow to validate your Microsoft Office 365 SPF:
- Go to the settings for your DNS provider
- Create a new record
- Choose “TXT“
- Put “@” in the name
- Put v=spf1 include:spf.protection.outlook.com -all in value
And save it!
SPF record setup for Microsoft Office 365 and Namecheap
If you’re using Namecheap, here are more specific steps:
- Log in to Namecheap
- Go to Domain list and choose your domain
- Go to Advanced DNS
- Click on “Add new record”
- Choose TXT record
- Put @ in “Host” or “Name”
- Put v=spf1 include:spf.protection.outlook.com -all in value
SPF configuration for Microsoft Office 365 and Cloudflare
To configure your SPF record for Microsoft Office in Cloudflare, here’s what to do:
- Log in to Cloudflare
- Go to Domain list and choose your domain
- Go to DNS
- Click on “Add new record”
- Choose TXT record
- Put @ in “Host” or “Name”
- Put v=spf1 include:spf.protection.outlook.com -all in value
- Save it!
Enable SPF record for Microsoft Office 365 and Bluehost
Finally, here are the steps to input your Office 365 SPF record in Bluehost:
- Log in to Bluehost
- Go to Domain list and choose your domain
- Go to DNS
- Click on “Add new record”
- Choose TXT record
- Put @ in “Host” or “Name”
- Put v=spf1 include:spf.protection.outlook.com -all in value
- Save it!
How to add SPF records for a Google sending domain
Now, here’s how you can add your Google domain to the SPF record mechanism for your domain provider.
How to set up your Google SPF record – for all domain providers
No matter what domain provider you use right now, follow the steps below to validate your SPF.
You can also check in the documents and tutorials of your domain provider itself to see if they already give instructions on how to configure your SPF.
- Go to your DNS settings
- Create a new record
- Configure and choose “TXT“
- Add “@” in name
- Add v=spf1 include:_spf.google.com ~all in value
Save it to publish it!
How to create a Google SPF record for Namecheap
If you’re using Namecheap, here are the steps to add Google to your SPF record:
- Log in to Namecheap
- Go to Domain list and choose your domain
- Go to Advanced DNS
- Click on “Add new record”
- Choose TXT record
- Put @ in “Host” or “Name”
- Add the tag v=spf1 include:_spf.google.com ~all in value
- Save it!
Adding a Google SPF record to Cloudflare
For Cloudflare users, here’s how to add Google to the SPF TXT record.
- Log in to Cloudflare
- Go to Domain list and choose your domain
- Go to DNS provider
- Click on “Add new record”
- Choose TXT record
- Put @ in “Name”
- Put v=spf1 include:_spf.google.com ~all in value
- Save it!
How to set up Google SPF records for Bluehost
Finally, for Bluehost users, here’s how to add your Google domain:
- Log in to Bluehost
- Go to Domain list and choose your domain
- Go to Advanced DNS
- Click on “Add new record”
- Choose TXT record
- Put @ in “Host” or “Name”
- Put v=spf1 include:_spf.google.com ~all in value
- Save it
SPF record benefits to your cold outreach
A well-set SPF record is your key to a succesful cold outreach campaign.
This is how your SPF record helps your cold outreach:
1. Improves Email Deliverability:
When you send emails through lemlist, recipient mail servers check your SPF record to verify that it is actually you sending thew email.
A correctly configured SPF record increases the likelihood that your emails will land in the recipient’s inbox rather than the spam folder.
2. Reduces Email Spoofing:
An SPF record helps prevent others from sending emails pretending to be you.
This protection enhances your domain’s reputation, making email providers more likely to trust and deliver your legitimate cold outreach emails.
3. Maintains Domain Reputation:
Sending cold emails without a proper SPF record can result in a higher bounce rate and spam complaints, negatively impacting your domain’s reputation.
A good reputation is crucial for ensuring high deliverability rates over time, and of course, you do not want to burn out the domain you spent time building a reputation for.
4. Compliance with Email Standards:
Many email providers and anti-spam systems use SPF records as part of their filtering criteria.
Compliance with these standards ensures that your emails align with best practices, further supporting your outreach efforts.
This is especially important since Google and Yahoo! have released new, stricter email requirements.
SPF tags explained
SPF (Sender Policy Framework) tags, also known as mechanisms and modifiers, are components of the SPF record. SPF tags define which mail servers are allowed to send emails on behalf of your domain.
Here are the primary SPF tags you have to know about:
1. v tag (required)
The v tag, or version tag, indicates that the record is an SPF record. It helps email servers understand how to interpret the instructions within the SPF record.
Without the v tag, email servers would not recognize the string as an SPF record. It will cause failure in processing and enforcing the email-sending policies defined in the record.
Example: v=spf1
2. IP4 tag
The IP4 tag in an SPF record is a critical element that specifies authorized IPv4 addresses for sending emails to a domain. It’s crucial for email security and deliverability.
By clearly specifying which IP addresses can send emails, you reduce the risk of email spoofing and phishing attacks on your domain. It also ensures that emails from your domain are less likely to be marked as spam.
Example: v=spf1 ip4:192.0.2.1 ip4:198.51.100.0/24 -all
3. IP6 tag
This tag includes the IPv6 addresses that allow sending emails on behalf of the domain.
It specifies which IPv6 addresses and helps receiving mail servers verify the authenticity of the email source.
Example: v=spf1 ip6:2001:db8::1 ip6:2001:db8:abcd:0012::0/64 -all
4. a tag
a tag authorizes emails from IP addresses associated with the domain’s A (Address) or AAAA (IPv6 Address) DNS records.
It simplifies SPF records and ensures that servers hosting the domain’s website or other services can also send emails without needing to list IP addresses explicitly in the SPF record.
The purpose of a tag is to ensure that the IP addresses associated with the domain’s A or AAAA records are permitted to send emails on behalf of the domain.
Example: v=spf1 a -all
5. mx tag
mx tag authorizes emails from the IP addresses associated with the domain’s MX (Mail Exchange) records.
Any mail servers listed in the domain’s MX records are allowed to send emails on behalf of that domain.
mx tag ensures that the mail servers responsible for receiving emails for a domain (as specified in its MX records) are also authorized to send emails on behalf of that domain.
It automatically authorizes the IP addresses associated with mail servers listed in the MX records without having to specify them individually.
Example: v=spf1 mx -all
6. exists tag
This tag checks if an A record exists or not in the domain.
The exists tag provides a way to perform custom checks that are not directly related to the sending IP address.
It can be used in complex SPF policies where you need to verify the existence of specific DNS records as a part of your email authorization strategy.
When the exists mechanism is used, the SPF check performs a DNS A record lookup for the specified domain.
If the domain resolves to any IP address (regardless of what that IP address is), the condition is met, and the sending server is authorized.
Example: v=spf1 exists:example.com -all
7. include tag
The include tag allows you to incorporate the SPF records of other domains into your own SPF record.
Listing all your sending sources under this tag lets the recipient know that you verify all the added domains and subdomains as legitimate sources.
This is useful when you delegate email sending to third parties, such as email service providers, who handle email on your behalf.
In a correct SPF record, the include tag is very important.
Example: v=spf1 include:_spf.google.com include:mailgun.org -all
8. all tag
all is a required tag. It should be placed at the end of the SPF record.
Depending on the qualifiers used (~, +, -, ?), this mechanism indicates how the recipient should treat emails from non-authorized sources.
Example: v=spf1 +all or v=spf1-all (depending on the qualifiers)
9. redirect tag
The redirect tag allows a domain to delegate its SPF authentication to another domain by specifying the redirected domain in the SPF record.
Example: v=spf1 redirect=_spf.example.com
SPF record limitations
While SPF is an important tool for ensuring email deliverability and reducing spam, it does have several limitations:
1. DNS Lookup Limit:
SPF records are limited to 10 DNS lookups to prevent excessive load on DNS servers. If your SPF record requires more than 10 lookups, it will exceed the limit, causing SPF checks to fail.
2. Forwarding Issues:
SPF does not work well with email forwarding. When an email is forwarded, the forwarding server’s IP address may not be listed in the original sender’s SPF record, causing the email to fail the SPF check.
3. Complicated Management:
Managing SPF records can become complex for organizations that use multiple third-party email services, as each service must be included within the SPF record without exceeding the DNS lookup limit.
4. Lack of Protection Against All Phishing Attacks:
SPF only checks the sender’s IP address and does not validate the “From” header in the email. As a result, it does not provide protection against phishing attacks that spoof the display name or email header.
5. Alignment with DMARC:
For DMARC (Domain-based Message Authentication, Reporting, and Conformance) to pass, SPF alignment is required, meaning the domain in the “Return-Path” must match the domain in the “From” header. Achieving alignment can be challenging in complex email routing scenarios.
6. Whitelist Management:
To accommodate legitimate senders, you may need to frequently update your SPF record, especially when dealing with dynamic IP addresses or newly added third-party services.
7. SMTP Bounce Messages:
SPF failures may result in SMTP bounce messages being sent to innocent parties if a spammer uses their email address as the “Return-Path.” This is known as backscatter.
8. Not a Complete Solution:
SPF should be used in conjunction with other email authentication technologies, such as DKIM (DomainKeys Identified Mail) and DMARC, to provide broader protection. Relying on SPF alone is insufficient for comprehensive email security. In the lemlist academy, we show you how to set up all major email authentication protocols.
Key takeaways
A properly setup SPF record will do essential things for you:
- It fights email spoofing and other cybercrimes
- It Increases your email deliverability
You can have the best campaigns, but if your SPF isn’t properly set up, your emails may never be seen by your prospects. Use an app like lemlist to make this process as easy as pie!
Frequently Asked Questions
Does my domain need an SPF record?
Yes, if you want to prevent spammers from spoofing your domain and sending emails that look like they come from you.
Additionally, SPF is absolutely essential if you want to land in your audience’s inbox.
What is an SPF record for a domain?
An SPF record is a type of DNS TXT record that contains a list of IP addresses or servers that are allowed to send emails on behalf of your domain.
For example, if your domain is example.com, and you use Gmail to send emails, your SPF record might look something like this: v=spf1 include:_spf.google.com ~all.
This means that only emails sent from Google’s servers are valid for your domain, and any other emails should be treated with caution.
Can I use DKIM without SPF?
Yes, you can use DKIM without SPF, but it is not recommended. DKIM is another email authentication method that uses digital signatures to verify that an email has not been tampered with in transit.
However, DKIM does not prevent spoofing of the sender’s address, which is what SPF does.
Therefore, it is best to use both SPF and DKIM together to ensure the integrity and authenticity of your emails.
Why is DKIM better than SPF?
DKIM is not better than SPF, but rather complementary.
SPF verifies the sender’s identity based on the IP address of the sending server, while DKIM verifies the content of the email based on a cryptographic signature.
Both methods have their advantages and limitations, and using them together provides a stronger level of email authentication and security.
Here’s some more info on SPF VS DKIM.
Does DMARC use SPF?
Yes, DMARC uses SPF, as well as DKIM, to validate emails.
DMARC is a policy that tells receiving email servers what to do with emails that fail SPF and DKIM checks.
For example, you can set your DMARC policy to reject, quarantine, or accept such emails, and also receive reports on how your emails are being processed by different email providers.
DMARC helps you monitor and improve your email deliverability and reputation.
What is SPF and DKIM records?
SPF and DKIM records are DNS TXT records that store the information needed for SPF and DKIM validation.
SPF records list the authorized IP addresses a for sending emails from your domain, while DKIM records store the public keys that are used to verify the digital signatures of your emails.
You need to create and publish these records in your DNS settings to enable SPF and DKIM for your domain.
Is SPF a DNS record?
Yes, SPF is a DNS record, specifically a TXT record.
A TXT record is a type of DNS record that can store any text information related to your domain.
SPF uses TXT records to store the list of authorized senders for your domain.
You can create and manage your SPF TXT record using your DNS provider’s website or tools.