What SPF does
SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses and services are allowed to send email from your domain. When a server receives an email claiming to be from yourapp.com, it checks the SPF record to verify the sending server is authorized.
Without SPF, anyone can send email pretending to be your domain. With SPF, unauthorized senders are flagged or rejected.
Step 1: List your email senders
Before creating the record, identify every service that sends email from your domain:
- Your email delivery service (RelayPost, SendGrid, etc.)
- Your email hosting (Google Workspace, Microsoft 365)
- Marketing tools (Mailchimp, HubSpot, etc.)
- CRM systems that send email (Salesforce, etc.)
- Any application servers that send email directly
Each service provides an SPF include value. Check their documentation or DNS setup guides.
Step 2: Build the SPF record
Combine all your senders into a single TXT record. The format is:
v=spf1 [mechanisms] [qualifier]allCommon examples:
# RelayPost only
v=spf1 include:spf.relaypost.dev ~all
# RelayPost + Google Workspace
v=spf1 include:spf.relaypost.dev include:_spf.google.com ~all
# RelayPost + Google Workspace + Mailchimp
v=spf1 include:spf.relaypost.dev include:_spf.google.com include:servers.mcsv.net ~all
# RelayPost + Microsoft 365
v=spf1 include:spf.relaypost.dev include:spf.protection.outlook.com ~allStep 3: Add the DNS record
Add a TXT record to your root domain (not a subdomain):
| Field | Value |
|---|---|
| Type | TXT |
| Name / Host | @ (or leave blank — means root domain) |
| Value | v=spf1 include:spf.relaypost.dev ~all |
| TTL | 3600 (1 hour) or your provider's default |
Step 4: Verify the record
# Check your SPF record
dig TXT yourapp.com +short
# Expected output includes:
"v=spf1 include:spf.relaypost.dev ~all"Send a test email and check the headers for spf=pass:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates ... as permitted sender)SPF mechanism reference
| Mechanism | What it does | DNS lookups | Example |
|---|---|---|---|
include: | Includes another domain's SPF record | 1+ | include:spf.relaypost.dev |
ip4: | Authorizes a specific IPv4 address or range | 0 | ip4:192.0.2.1 |
ip6: | Authorizes a specific IPv6 address or range | 0 | ip6:2001:db8::/32 |
a | Authorizes the domain's A record IP | 1 | a |
mx | Authorizes the domain's MX record IPs | 1 | mx |
redirect= | Delegates SPF to another domain entirely | 1 | redirect=_spf.example.com |
The 10-lookup limit
SPF allows a maximum of 10 DNS lookups per evaluation. Each include:, a, mx, and redirect= counts as at least one lookup. Nested includes count too — if include:spf.relaypost.dev itself has 2 includes, that is 3 total lookups.
If you exceed 10 lookups, SPF returns a permanent error (permerror) and authentication fails for all email.
To reduce lookups:
- Replace
include:withip4:for services with static IPs - Remove services you no longer use
- Use SPF flattening tools that resolve includes to IP addresses
- Consider using a subdomain for some senders (each subdomain gets its own 10-lookup budget)
Common mistakes
- Multiple SPF records on the same domain — merge into one
- Using
+all— this authorizes everyone (defeats the purpose) - Forgetting to add new services when you start using them
- Adding SPF to a subdomain when email is sent from the root domain
- Not testing after changes — always verify with
digand a test email
Related guides
Frequently asked questions
What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving servers check this record to verify the sender is legitimate.
Can I have multiple SPF records?
No. The SPF specification requires exactly one SPF record per domain. If you have multiple SPF records, authentication will fail. Merge all your authorized senders into a single record using multiple include: directives.
What does ~all vs -all mean?
~all (tilde, softfail) tells receivers that unauthorized senders should be treated with suspicion but not rejected. -all (hyphen, hardfail) tells receivers to reject unauthorized senders outright. Start with ~all during setup, then switch to -all once you've confirmed everything works.
How do I fix 'too many DNS lookups' in SPF?
SPF allows a maximum of 10 DNS lookups. Each include:, a, mx, and redirect counts as one lookup. To reduce lookups, replace include: directives with ip4: or ip6: directives where possible, or use SPF flattening tools.
How long does SPF take to propagate?
DNS propagation typically takes 1-4 hours, though it can take up to 48 hours depending on your DNS provider and TTL settings. You can check propagation using dig or online DNS lookup tools.
Set up SPF with RelayPost
Add your domain and get the exact SPF include to add. Verification is automatic.
Create free account