← Scan your domain
Email Deliverability

SPF Record

A DNS record that tells the internet which servers are allowed to send email from your domain.

critical severity

What is this?

SPF (Sender Policy Framework) is a DNS TXT record at your root domain. It lists the mail servers and services authorized to send email on your behalf. When someone receives an email from [email protected], their email provider checks your SPF record to verify the sending server is on the allowed list.

An SPF record looks like this:

v=spf1 include:_spf.google.com include:_spf.resend.com ~all

The ~all at the end means "all other servers should softfail" - mark as suspicious but don't reject. Use -all for hard rejection once you're confident the record is complete.

Why it matters

Without SPF, email providers have no way to verify whether an email from your domain is genuine. The consequences:

  • Your emails land in spam. Gmail, Outlook, and Yahoo use SPF as a key deliverability signal.
  • Anyone can impersonate you. Without SPF, there's nothing stopping a spammer from sending email as [email protected].
  • Domain reputation damage. Even if your emails get through today, repeated failures lower your domain's long-term reputation.

Since 2024, Gmail and Yahoo formally require SPF for senders over 5,000 emails/day - and penalize domains without it at lower volumes too.

How to fix it

  1. List every service that sends email from your domain: your email provider (Google Workspace, Microsoft 365), transactional email service (Resend, Postmark, SendGrid), CRM, newsletter tool, etc.
  2. Get the SPF include value from each service's documentation (usually in their "Authentication" or "Domain setup" section).
  3. Combine them into one TXT record at your root domain:
    v=spf1 include:_spf.google.com include:_spf.resend.com ~all
  4. Add it in your DNS settings (Cloudflare, Namecheap, GoDaddy, Route 53, etc.) as a TXT record for @ or your root domain.
  5. Verify with: nslookup -type=TXT yourdomain.com or mxtoolbox.com/spf.aspx
  6. Once you've confirmed all your email is covered, harden to -all.

Providers & tools

ServiceSPF include value
Google Workspaceinclude:_spf.google.com
Microsoft 365include:spf.protection.outlook.com
Resendinclude:_spf.resend.com
Postmarkinclude:spf.mtasv.net
SendGridinclude:sendgrid.net
Mailguninclude:mailgun.org
Amazon SESinclude:amazonses.com
Brevo (Sendinblue)include:spf.sendinblue.com

Note: you can only have one SPF TXT record. Combine all includes into a single record - multiple SPF records will break validation.

Check if your domain has this issue

Related problems

Why Are Your Emails Going to Spam?

More in Email Deliverability

DMARC Record Email Spoofing Protection DKIM Setup Mail Server IP Blacklisted Email Deliverability