Question: How do I set up an SPF record for my Google Workspace domain?

Explanation: An SPF (Sender Policy Framework) record is a piece of text (a TXT record) that you add to your domain's DNS at your domain provider. To put it simply: your domain grants permission to a sending mail server (for example Google, Brevo, or your own website) to send email on behalf of your domain from their server (IP address).

The domain contains a text snippet in which you grant permission to a sending server, and other mail servers recognise this. As a result, emails you send through Google or any other party via your domain don't get flagged as SPAM. You can check which TXT records exist in your domain by visiting the Dig (Domain Information Groper) tool by Google.

info
How does SPF work technically?
When a mail server receives an email from your domain, it performs a DNS lookup for the SPF record of the sending domain. It then compares the IP address of the sending server with the IP addresses and hosts authorised in that SPF record.
  • Match, the IP is on the list: the email passes the SPF check.
  • No match: depending on the policy at the end of the record (
    ~all
    or 
    -all
    ) the email is marked as suspicious or rejected.

SPF works on the basis of the envelope sender (the Return-Path), not the visible From address. That is an important difference with DKIM and DMARC, and the reason SPF alone is not enough to fully prevent spoofing.

lightbulb
SPF combined with DKIM and DMARC
SPF is one of the three pillars of email authentication. For optimal protection and deliverability you want all three configured:
  • SPF (Sender Policy Framework) defines which servers may send on behalf of your domain.
  • DKIM (DomainKeys Identified Mail) uses a digital signature to verify that the email was not altered in transit.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when SPF or DKIM fails, and sends reports back to the domain owner.
Since February 2024, Google and Yahoo require bulk senders to configure all three correctly. For regular business senders this has effectively become the standard as well.

Solution:

To set up an SPF record you need access to the DNS environment of the domain. This can be done through providers such as TransIP, Cloudflare, GoDaddy, Namecheap, Plesk or DirectAdmin. There you can edit TXT records via the DNS settings of the domain.

In most cases an SPF record already exists in the domain, added by the DNS host or another administrator. You can usually add Google by including 

include:_spf.google.com

in the existing record, between 

v=spf1

and 

~all

(or 

-all

).

Does your domain have no SPF record yet? Then add the following:

v=spf1 include:_spf.google.com ~all
1
Sign in to your DNS provider
Go to the website of the party where you registered your domain (for example TransIP, Cloudflare, GoDaddy or Namecheap) and open the DNS settings for the relevant domain.
2
Check whether an SPF record already exists
Look through the TXT records for an entry starting with 
v=spf1
.
warning
A domain may only have one SPF record. If there are multiple 
v=spf1
records side by side, SPF will fail for all senders. In that case, combine all authorised senders into a single record.
3
Add Google or create a new record
Extend an existing SPF record: add 
include:_spf.google.com
before 
~all
or 
-all
. A record that initially only allowed Brevo would then look like this: 
v=spf1 include:spf.brevo.com include:_spf.google.com ~all

Create a new SPF record: add a new TXT record with the following values:

FieldValue
TypeTXT
Name/Host@ (or leave empty, depending on your provider)
Valuev=spf1 include:_spf.google.com ~all
TTLDefault (usually 3600 seconds)
4
Wait for DNS propagation and validate
DNS changes can take up to 72 hours to roll out globally, in practice usually within 15 minutes to a few hours. Then check whether your SPF record is valid using:
check_circle
Test your sending
Send a test email to a Gmail account, open the message, click the three dots in the top right and then 'Show original'. Next to 
SPF:
you should see 'PASS' with your domain.

Components of an SPF record explained:

MechanismDescription and valuesExplanation
vSPF version, must be the first tag in the record: v=spf1This is how the server recognises the protocol.
ip4Authorises mail servers by IPv4 address or address range. Example: ip4:192.168.0.1This is where you can give your web server access via its IPv4 address.
ip6Authorises mail servers by IPv6 address or address rangeThis is where you can give your web server access via its IPv6 address.
aAuthorises mail servers based on the domain nameIf you want to send from your web server, you can add a to allow this.
mxAuthorises Mail eXchange records of domainsIf you want your mail server to send via for example one IP address, add mx to the line.
includeAuthorises third-party email senders per domain. Example: include:servers.mail.netAn external SPF record can be imported and used within your own domain.
allAll incoming messages must match the recordNot applicable.
~allSoftfail qualification, receiving mail servers accept messages but flag them as suspiciousEmails get the benefit of the doubt.
-allFail qualification, receiving mail servers may reject messagesEmails that do not match the SPF record are rejected immediately.
warning
Maximum of 10 DNS lookups
A TXT record for SPF may not contain more than 10 references to other domains or servers. These references are called lookups. Every 
include
, 
a
, 
mx
, 
ptr
or 
exists
in your record counts, including lookups that happen inside imported records.

Going above 10 results in a 

permerror
and SPF fails entirely. Solutions include SPF flattening (using static IP addresses instead of 
include
) or using an SPF macro management tool.