• Intro
• Who Is This Article For
• SPF Rcord Format
• SPF Record Mechanisms
• SPF Record Qualifiers
• Next Steps

Define your SPF record—Advanced setup
Protect against spoofing & phishing, and help prevent messages from being 
marked as spam



Who this article is for
This article is for IT professionals and people who have experience setting
up email servers. It has technical information about Sender Policy Framework
(SPF), including SPF record requirements, SPF record syntax, and how SPF affects
email delivery. For a basic SPF record for sending email with Google Workspace 
only, or for Google Workspace plus your other email senders, follow the 
instructions in Define your SPF record—Basic setup. 

Tip: 
If you send email with Google Workspace only, get your SPF record in 
Define your SPF record—Basic setup.

An SPF record defines the mail servers and domains that are allowed to send
email on behalf of your domain. It also tells receiving servers what to do
with messages after they’re checked. Receiving servers check your SPF
record to verify that incoming messages that appear to be from your
organization are sent from servers authorized by you. Domains can have one
SPF record. However, the SPF record for a domain can specify multiple
servers and third parties that are allowed to send email for the domain.
 
Set up SPF by adding a DNS TXT record at your domain provider.



SPF record format
An SPF record is a line of plain text that includes a list of tags and
values. The tags are called mechanisms. The values are typically IP
addresses and domain names.

An SPF record is added to your domain provider in the form of a DNS TXT
record. Learn more About DNS TXT records.

SPF records can have up to 255 characters. The TXT record file size should
be no larger than 512 bytes.



SPF record mechanisms
Use the mechanisms in this table to create your SPF record. Receiving mail
servers check messages against mechanisms in the order they are listed in
the SPF record.

Keep in mind:
You can use optional SPF record qualifiers with mechanisms. 
Your TXT record for SPF shouldn’t include more than 10 references to
other domains or servers. These references are called lookups. Learn more in
Check the DNS lookups in your SPF record.




Mechanism
Description and allowed values

v 	
SPF version. This tag is required, and must be the first tag in the
record. This mechanism must be:
v=spf1

ip4 	
Authorize mail servers by IPv4 address or address range. The value must be an IPv4
address or range in standard format, for example:
ip4:192.168.0.1
or
ip4:192.0.2.0/24

ip6 	
Authorize mail servers by IPv6 address or address range. The value must be an IPv6 
address or range in standard format, for example:
ip6:3FFE:0000:0000:0001:0200:F8FF:FE75:50DF
or
ip6:2001:db8:1234::/48

a
Authorize mail servers by domain name, for example:
a:solarmora.com

mx
Authorize one or more mail servers by domain MX record, for example:
mx:mail.solarmora.com
If this mechanism isn't in your SPF record, the default value is the MX records of the
domain where the SPF record is used.

include 	
Authorize third-party email senders by domain, for example:
include:servers.mail.net

all 	
Specifies that all incoming messages match. We recommend you always include this
mechanism in your SPF record.
This must be the last mechanism in the SPF record. Any mechanism that comes after the 
all mechanism in an SPF record is ignored.
Should I use ~all or -all? 
When an SPF record includes ~all (softfail qualifier), receiving servers typically accept
messages from senders that aren't in your SPF record, but mark them as suspicious.
When an SPF record includes -all (fail qualifier), receiving servers may reject messages
from senders that aren't in your SPF record. If your SPF record isn’t set up correctly, the 
fail qualifier might cause more messages from your domain to be sent to spam.
Tip: To prevent spoofing of domains that don’t send email, use this as the SPF
record for the domain: vspf1 ~all




SPF record qualifiers
A qualifier is an optional prefix you can add to any mechanism in your SPF
record. Qualifiers tell the receiving mail server whether to consider a
message authenticated when there's a match with a mechanism value, for
example:
	v=spf1 include:_spf.google.com -all

In this example, the SPF record authorizes only Google Workspace to send
emails for your domain. The 
all mechanism has a fail qualifier ( - ), so messages from any other senders
fail the SPF check and
may be rejected by the receiving server.

Mechanisms are checked in the order they occur in the SPF record. If a
mechanism doesn’t have a qualifier and there’s a match, the default
action is pass authentication. When there's no mechanism match, the action
default is neutral: the message doesn't pass or fail authentication.

Use these optional qualifiers to tell receiving mail servers how to handle
messages that match mechanisms in the SPF record.


Qualifieri
Action receiving server takes with a match

+
Passes authentication. The server with matching IP address is authorized to send for your
domain. Messages are authenticated. This is the default action when the mechanism
doesn’t use a qualifier.

-
Fails authentication. The server with matching IP address is not authorized to send for the
domain. The SPF record doesn’t include the sending server IP address or domain so messages
won’t pass authentication.

~
Softfails authentication. It's unlikely that the server with matching IP address is authorized
to send for the domain. The receiving server will typically accept the message but mark it
as suspicious.

?
Neutral. Neither passes nor fails authentication. The SPF record doesn’t explicitly state that
the IP address is authorized to send for the domain. SPF records with neutral results often
use ?all




Next steps
After you’ve created the SPF record for your domain, add your SPF record
at your domain provider.