How to Setup SPF: Understanding Mechanisms, Modifiers, and Syntax

In this guide, we’ll break down exactly how to set up SPF, every mechanism, qualifier, modifier, and syntax rule explained. When you’re done, you’ll understand how to build, test, and maintain your SPF record like a pro.

💡 Pro Tip: You can instantly check your SPF record and verify it’s working correctly using the iO™ DMARC Email Deliverability Tool.

Key Takeaways

• Publish exactly one SPF record per domain as a DNS TXT record that starts with v=spf1 and follows RFC 7208. Multiple SPF TXT records cause validation errors.

• Authorize only real senders using ip4, ip6, a, mx, and include, and finish with all. Use qualifiers intentionally: -all for strict enforcement, ~all while testing.

• Manage SPF where your DNS is hosted and verify public visibility after changes. Allow time for propagation and confirm that resolvers see the updated entry.

• Stay under the SPF 10-lookup limit. Each include, a, mx, and exists can add lookups. Consolidate providers, prefer direct IPs where appropriate, or use flattening (carefully) if you’re near the cap.

• Test after every change using header checks (Authentication-Results: spf=pass) and a validator to confirm syntax, alignment, and lookup counts.

• Maintain the record over time. Add or remove vendors promptly, audit quarterly, and keep the policy strict to reduce spoofing risk and protect deliverability.

The Structure of an SPF Record

Before writing your own SPF record, it’s important to understand how it’s structured and where it lives.

SPF Record Format Overview

Before writing your own SPF record, it’s important to understand how it’s structured and where it lives.

v=spf1 mx include:_spf.google.com -all

Let’s break this down:

• v=spf1 – Identifies the version (always this value).

• Mechanisms – Define which servers are authorized (like mx, a, ip4, or include).

• Modifiers – Provide additional rules or instructions.

• Qualifier (like -all) – Tells the receiving server what to do with messages that don’t match.

Together, these elements create your domain’s SPF policy.

Where SPF Records Live in DNS

SPF records live inside your domain’s DNS settings — usually managed through your registrar, web host, or DNS provider. They look like this in your DNS zone file:

📌 Note: Each domain can have only one SPF record. If you add more than one, receiving mail servers will reject both.

Learn more about avoiding DNS-level errors in SPF Failure: Common SPF Errors and Fixes.

SPF Mechanisms Explained

Mechanisms define which hosts are allowed to send email for your domain. Let’s look at each one.

Common SPF Mechanisms and Their Functions

SPF Qualifiers and What They Mean

Qualifiers determine how receiving servers interpret your SPF rules — pass, fail, or soft fail.

SPF Qualifier Summary Table

Choosing the Right Qualifier for Your Domain

In most cases:

• Use -all for strict enforcement (recommended for mature, verified domains).

• Use ~all while testing or adding new senders.

• Avoid ?all which weakens policy enforcement.

Curious about what happens behind the scenes when SPF fails? Read: SPF Hard Fail vs Soft Fail: Understanding -all vs ~all vs ?all.

SPF Modifiers for Advanced Use

Modifiers are optional parameters that expand SPF beyond simple mechanisms such as include, mx, a, and ip4. They modify behavior, not permission, and need to be used judiciously to not exceed the 10 DNS lookup ceiling and 255 character string limits. They appear only once in a record and modify overall behavior.

The redirect= Modifier

Used to delegate SPF policy to another domain:

v=spf1 redirect=_spf.parentdomain.com

All authorization checks are handled by the redirected domain. Only one redirect can be used per record.

The exp= Modifier

Provides a custom explanation for failed SPF checks:

v=spf1 -all exp=explain.domain.com

The domain at explain.domain.com should contain a TXT record with the failure message. Rarely used in modern configurations but included here for completeness.

Misusing redirects can cause errors. Check for syntax issues in SPF Failure: Common SPF Errors and Fixes.

SPF Setup Examples by Scenario

Targeted templates you can plug in, customize, and deliver. Each example shows a valid SPF TXT record you can add at your DNS host.

⚙️ Before you begin:

• Maintain one SPF record per domain.

• Watch the 10 DNS lookup limit.

• Expect up to 1 hour for DNS propagation.

Basic Example – Single Domain

v=spf1 mx -all

Authorizes mail servers defined in your domain’s MX records. This is ideal if you send directly from your own mail servers.

Example – Using Google Workspace

v=spf1 include:_spf.google.com -all

Authorizes Gmail servers to send on behalf of your domain. Perfect for businesses using Google Workspace exclusively.

See Set up SPF — Google Admin Help for Google’s official steps and record values.

Example – Using Microsoft 365

v=spf1 include:spf.protection.outlook.com -all

Allows Microsoft 365 mail servers to send from your domain. Common for SMBs running email through Exchange Online.

See Set up SPF for Microsoft 365 (Microsoft Learn) for Microsoft’s recommended SPF configuration.

Example – Multiple IPs and Third-Party Senders

v=spf1 ip4:203.0.113.5 include:spf.hubspot.com include:_spf.google.com -all

Authorizes your direct IP, HubSpot, and Google to send mail for your domain while rejecting all others. Remember that each include: adds a DNS lookup.

⚠️ Tip: Exceeding 10 lookups causes SPF to fail. Learn more in SPF Failure: Common SPF Errors and Fixes.

Example – Using Redirect for Delegated Domains

v=spf1 redirect=_spf.parentdomain.com

Delegates SPF management to another domain, often used for brand families or multi-domain environments.

🧩 Always test your SPF record before publishing it live. Run a free check with iO™ DMARC’s SPF Checker.

SPF Best Practices and Common Pitfalls

Setting up an SPF record correctly is only half the job, keeping it clean, optimized, and compliant over time is what protects your domain’s reputation.These SPF best practices help you maintain deliverability and avoid the configuration errors that cause emails to be rejected or flagged as spam.

SPF Best Practices

• Keep your record under 255 characters per DNS TXT segment.

• Stay below the 10 DNS lookup limit.

• Combine multiple senders efficiently with include:.

• Use -all when your configuration is verified.

• Review SPF changes quarterly or after adding new tools.

What to check our additional best practices and industry guidance from mailbox providers and senders: M3AAWG Best Practices for Managing SPF Records

Common SPF Mistakes to Avoid

Even small syntax or structural errors can invalidate your SPF record and hurt deliverability.Watch out for these frequent issues:

• Multiple SPF records for one domain (only one is allowed).

• Broken include chains from third-party services.

• Deprecated mechanisms like ptr.

• Overuse of ~all, which weakens protection.

For troubleshooting guidance, visit SPF Failure: Common SPF Errors and Fixes or learn What Does It Mean If SPF Fails?

How to Test Your SPF Record

Testing your SPF record verifies it is valid, publicly visible on the internet, and enforcing the policy you anticipate. It further confirms which systems are authorized to send mail for your domain and which aren’t.

Checking Syntax and DNS Propagation

After creating or editing your SPF record, it can take several minutes for DNS changes to propagate. To verify your setup:

1. Use dig or nslookup commands to confirm the TXT record.

2. Send a test email to a Gmail or Outlook account.

3. View message headers and check for “spf=pass” under authentication results.

Using iO™ DMARC and SPF Checker Tools

Manual checks work, but they don’t tell the full story. The iO™ DMARC Email Deliverability Tool analyzes your SPF, DKIM, and DMARC alignment — identifying risks before they affect deliverability.

✅ Run your SPF record through the iO™ DMARC SPF Checker now and confirm your domain’s authentication setup.

Summary: Why Proper SPF Setup Protects Your Deliverability

SPF is the first line of defense in your domain’s email authentication strategy. It protects your customers from phishing, protects your brand from spoofing, and keeps your legitimate emails out of spam. Whether you’re managing a single domain or juggling multiple senders, understanding SPF syntax helps prevent costly mistakes.

🚀 Next Step: Check, test, and fix your SPF record in seconds with the iO™ DMARC Email Deliverability Tool.

Frequently Asked Questions

What is an SPF record and why does it matter?

An SPF record (Sender Policy Framework) is a type of DNS TXT record that lists the mail servers authorized to send emails for your domain. It helps prevent spoofing and phishing by allowing recipients to verify if a message truly came from you. A correctly configured SPF record improves email deliverability and reduces the chance of messages being flagged as spam.

Learn more about how SPF fits into your authentication stack in What Is SPF, DKIM, and DMARC? A Complete Guide.

How do I create a basic SPF record?

To create an SPF record:

1. Log in to your DNS provider or registrar.

2. Add a new TXT record at your root domain (@).

3. Enter a value such as:

   v=spf1 a mx include:spf.example.com -all

4. Replace spf.example.com with your provider’s SPF entry.

5. Save your changes and allow time for DNS propagation (usually up to an hour).

Once live, verify it using the iO™ DMARC Email Deliverability Tool.

What do SPF mechanisms like a, mx, ip4, and include do?

SPF mechanisms define which servers can send mail for your domain:

Each mechanism tells receiving servers who is allowed to send mail. If the sender doesn’t match, the message fails the SPF check.

Dive deeper in the “SPF Mechanisms Explained” section above.

What do SPF qualifiers like +, -, ~, and ? mean?

SPF qualifiers control how mail servers interpret results:

Use -all once your setup is verified for strict control, or ~all during testing. Avoid ?all, which weakens your SPF policy.

For detailed behavior, see SPF Hard Fail vs Soft Fail: Understanding -all vs ~all vs ?all.

How do I avoid the SPF 10 DNS lookup limit?

SPF policies can only perform 10 DNS lookups during evaluation. To stay within this limit:

• Minimize include: mechanisms.

• Use ip4 or ip6 where possible.

• Consolidate multiple services using an SPF flattening tool.

• Remove outdated or unused vendors.

Exceeding 10 lookups triggers a PermError, which can break authentication and harm deliverability.

Learn more in SPF Failure: Common SPF Errors and Fixes.

How can I test my SPF record?

You can test your SPF setup using:

• Online SPF validators (like the iO™ DMARC SPF Checker).

• DNS lookup tools such as dig or nslookup.

• Sending test emails to Gmail or Outlook, then checking the message headers for spf=pass in the Authentication-Results field.

Consistently monitor bounce and spam rates, sudden drops may indicate SPF or DMARC misconfigurations.

What are common SPF mistakes to avoid?

Avoid these common SPF setup errors:

• Publishing more than one SPF record per domain.

• Exceeding the 10 DNS lookup limit.

• Using deprecated mechanisms like ptr.

• Forgetting to end your record with -all or ~all.

• Keeping old or inactive include: entries from past vendors.

Maintain a single, accurate SPF TXT record and update it whenever you change mail providers or marketing platforms.

For troubleshooting and prevention tips, read What Does It Mean If SPF Fails?