DNS guide
SPF Record Setup Guide
An SPF record lists the servers authorised to send email for your domain. Without one, any server can send email pretending to be from your domain. Here's how to build the right SPF record for your setup.
The golden rule
One SPF record per domain. Only one TXT record can start with v=spf1. Two SPF records = immediate PermError.
Building your SPF record
Google Workspace only
Google + SendGrid
Google + SendGrid + Microsoft 365
Self-hosted mail + Google
Verify SPF and lookup tree
Open DNS Preflight →Step by step
FAQ
What is an SPF record?
A TXT record that lists which servers are authorised to send email for your domain. Receivers check it to verify your email is legitimate.
What does ~all mean in SPF?
Softfail — unauthorised servers are marked suspicious but email is usually delivered. Start with ~all, switch to -all once all senders are confirmed.
How many DNS lookups does my SPF use?
Run DNS Preflight — the SPF tree shows each include expanded with a running count. Must stay under 10.
What if I need more than 10 lookups?
Flatten high-lookup providers by replacing include: with their actual IP addresses. See the SPF too many lookups fix guide.
Do I need SPF if I have DKIM?
Yes. SPF and DKIM serve different purposes. DMARC requires both to be configured for full protection.