How to set up SPF?

In this article

    What is SPF and how do I configure and set it up?

    An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send an email on behalf of your domain and/or can't send on behalf of your domain (whitelist and/or blacklist of IP / domains). Apply these restrictions by adding an MX record in your DNS zone. 

    Why is it Important?

    Today, nearly all abusive e-mail messages carry fake sender addresses. Spammers send email from their mail servers but with your ‘domain’ as the sending email. The victims whose addresses are being abused often suffer from the consequences, because their reputation gets diminished and they have to disclaim liability for the abuse or waste their time sorting out misdirected bounce messages.

    What is the purpose of SPF record?

    The purpose of an SPF record is to prevent spammers from sending messages with forged ‘From Addresses’ at your domain. Recipients can refer to the SPF record to determine whether a message purporting to be from your domain comes from an authorized mail server.

    How do you set up SPF Record?

    Before creating the SPF record for your domain, it is important to find out what the server address for the mail service to be authorised (which is going to be permitted to send emails on your behalf ).

    In this tutorial, SPF record will be set up for Google Apps. We will use:

    • Mailgun as our mail service (the email service to use to send the email - permitted to send email on behalf of your domain)
    • Google G Suite domain email address to "send as" (your ‘domain’ as the sending email - iow. what you see in 'from' address in your mailings and email)

      Note! This Google account's domain is hosted by Enom. Your domain settings and DNS may differ. Please contact your DNS support team for assistance.

    How to create DNS records for Office 365 when you manage your DNS records:

    You can follow the general instructions from Microsoft for creating DNS records for Office 365.

    Below you will find the instructions on:

    1. How to open the domain settings for the Google domain

    2. How to add the SPF record

    3. How to test a new SPF record

    1. How to open the domain settings for the Google domain 

    1. Log in to Google with your Google Administrators account, and open your Google Admin section:

    2. Open Domains.

      Note! The icon for opening Domains may be hidden by default and is then found under More controls.

    3. Under Domains, open Add/remove domains

    4. Click Advanced DNS settings to see your details.

      Note! This tutorials Google account's domain is hosted by Enom. This can be different for your Google account.
    5. Click Sign in to DNS console to open the DNS console window. You may have to sign into this DNS console with a separate DNS account.


    2. How to add the SPF record

    1. Go to Host Records in the DNS console. The existing SPF record for your Google account is there by default.

    2. We want to add which contains correct records for both Mailgun clusters (EU and US). Since there only should be one SPF record - we need to combine the existing one with the new. The actual TXT record to add is "v=spf1 ~all"

      Click Edit. Update the existing record (text field) with the new combined record. 

      Click Save to update the information.

      Note! Once you’ve added the records and they’ve propagated, it can take 24-48 hours for DNS changes to propagate.

    3. How to test a new SPF record

    There are several tools online to use - to test your SPF record.
    In this tutorial, we have used MX Toolbox

    1. Open the SPF tool:

    2. Add your domain (the one that you are going to send our mailings as) and click SPF Record Lookup.

    3. The result should show that is included and pass the test for 'allow'.



    • What’s the difference between ~all and -all
      • Given many receivers are not actively bouncing mail based on SPF pass/fail, there isn’t a strong argument for either -all or ~all in SPF records. For a while, Hotmail was advising that senders who published a -all record would have better delivery. This led to -all became a de-facto standard for a lot of ESPs and bulk senders. More recently, there does not seem to be any benefit to publishing -all even at Hotmail (,, etc).

        What should I publish?

        We recommend "~all" (soft fail if no matches) vs "-all" (hard fail if no matches) as a conservative measure. A soft mail means that the message will be tagged with a header documenting the failure, but will still be accepted. If you prefer a hard failure, ie "-all", then feel free to use that instead. There’s not a huge benefit to publishing -all and sometimes mail gets forwarded around. The one time we recommend a -all record is when a domain is getting forged into spam. Domain forgery can cause a lot of bounces. The number of bounces can be bad enough to take down a mail server, particularly those with a small userbase. Many ISPs will check SPF before sending back a bounce and so a -all record can decrease the amount of blowback the domain owner has to deal with.

    More info:

    Google article About SPF records