ValidEmailChecker

How to set up an SPF record for your domain (step by step)

Last updated May 19, 2026Deliverability

Setting up SPF is a one-time DNS change. The hard part is identifying every legitimate sender for your domain. Once you have that list, building and publishing the record is straightforward.

Step 1: list every system that sends mail as you

Walk through this checklist:

  • Email provider. Google Workspace, Microsoft 365, your own mail server, anything similar.
  • Transactional ESP. SendGrid, Mailgun, Postmark, SES, whatever fires your password resets, receipts, and signup confirmations.
  • Marketing ESP. Mailchimp, Klaviyo, ActiveCampaign, others (if separate from transactional).
  • CRM. HubSpot, Salesforce, others (only if they send mail as your domain, not their own).
  • Helpdesk or support tools. Zendesk, Intercom, anything similar, if they send as you.
  • Newsletter platform. Substack, ConvertKit, Beehiiv, others.
  • Custom code or webhooks that send mail through SMTP.

Step 2: find each provider's SPF include

Each platform publishes the SPF include they want you to add. Common ones:

  • include:_spf.google.com for Google Workspace
  • include:spf.protection.outlook.com for Microsoft 365
  • include:sendgrid.net for SendGrid
  • include:mailgun.org for Mailgun
  • include:_spf.salesforce.com for Salesforce
  • include:servers.mcsv.net for Mailchimp

If your platform is not in this list, search its documentation for "SPF include". Every reputable ESP publishes the value.

Step 3: build the record

Combine into one TXT record, starting with the version tag and ending with the policy:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all
  • v=spf1 is the version marker (required).
  • include:... is one entry per platform that sends as you.
  • ~all means softfail: messages from servers not in the list should be marked but not rejected. Good starting point.
  • -all means hardfail: reject anything not in the list. Use only after you are confident the include list is complete.

Or skip the manual build. Our free SPF record generator lets you pick your platforms from a list and gives you the record ready to paste.

Step 4: publish to DNS

Log into your DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, whichever you use). Add a TXT record on the root of your domain. The host field will be @ or blank, depending on the UI. Save the record.

Step 5: verify it propagated

DNS propagation usually completes within 5 to 15 minutes. It can take up to an hour in some cases. Check with our free SPF record checker. Paste your domain, see the parsed record, and get warnings about any issues like too many lookups or missing common includes.

After SPF is live

Set up DKIM and DMARC next. SPF alone is the bare minimum. Gmail and Yahoo now require all three for bulk senders.

Related questions

What is an SPF record and why does it matter for email deliverability?
How to set up DKIM authentication for your domain
How to set up DMARC with a progressive policy (none → quarantine → reject)
How to improve email deliverability (complete checklist)
Back to all FAQs

Still stuck? Email support