Beep beep... Loading...
Beep beep... Loading...
Learn how SPF records help protect your domain from email spoofing and phishing attacks.
An SPF (Sender Policy Framework) record is a type of DNS TXT record that tells email servers which mail servers are allowed to send email on behalf of your domain. It helps prevent spammers and attackers from sending emails that appear to come from your domain (a technique called spoofing).
Format:
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
Examples:
# Allow only Google Workspace to send email example.com. IN TXT "v=spf1 include:_spf.google.com ~all" # Allow Microsoft 365 and Google Workspace example.com. IN TXT "v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all" # Block all email (domain does not send email) example.com. IN TXT "v=spf1 -all"
Think of an SPF record like a guest list for a party:
This tag identifies the record as an SPF record and must always be at the start.
Lets you include other domains' SPF records (e.g., your email provider's servers).
~all means "soft fail" (not authorized, but not strictly blocked). -all means "hard fail" (strictly block unauthorized senders).
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com -all
v=spf1 -all
You should only have one SPF record per domain. Having more can cause email delivery problems.
If you add a new email service (like a marketing platform), update your SPF record to include it.
~all is more forgiving, -all is stricter. Choose based on your needs.
Only include the services you actually use to send email.
Use online tools to check your SPF record for errors and make sure it's working as expected.
-all for Strict SecurityIf your domain should never send email, use v=spf1 -all to block all unauthorized senders.
SPF is just one part of email authentication. For best protection, also set up DKIM and DMARC records.
Regularly check your domain for unauthorized use and update your SPF record as needed.