Table of contents
Example H2
Example H3
Example H4
Experience
Agent Frank

Get a uniquely crafted email delivered in your inbox in seconds

It's being carefully crafted by AI
Please check your mailbox
Something went wrong. Please try again
Learn more
Get insights delivered straight into your inbox every week!
Blog
Tutorials & Guides

SPF Record Setup: Step-by-Step Guide

By
Iga Wójtowicz
November 13, 2025
5 min read
Share on

SPF records are essential for email authentication. They specify which servers can send emails on your domain's behalf, helping reduce spam and improve deliverability. Misconfigured SPF records can lead to emails being marked as spam or rejected. Here's what you need to know to set them up correctly:

  • What is an SPF Record? A DNS TXT record that lists authorized email-sending servers for your domain.
  • Why it Matters? It protects your domain's reputation, improves email deliverability, and prevents blacklisting.
  • Key Steps:
    1. Identify all email-sending sources (e.g., Google Workspace, Mailchimp).
    2. Create a single SPF record using mechanisms like ip4:, include:, and ~all.
    3. Avoid exceeding the 10 DNS lookup limit.
    4. Publish the record in your DNS settings.
    5. Test using tools like MXToolbox to ensure proper configuration.

Pro Tip: Use tools like Mailforge to automate SPF setup, especially if managing multiple domains. Proper email authentication, including pairing SPF with DKIM and DMARC, ensures your emails land in inboxes while safeguarding your domain's credibility.

Planning Your SPF Record Setup

Gather Required Information

Before diving into SPF record creation, it's crucial to compile a thorough list of all services and IP addresses authorized to send emails on behalf of your domain. Overlooking even one sender could lead to legitimate emails being rejected or marked as spam.

Start by identifying every email source tied to your domain. This includes primary email providers, marketing platforms, CRMs, and automated systems like support ticketing tools, e-commerce notifications, or backup email services that send messages periodically.

Make sure you have administrative access to your DNS management console. This requires login credentials and appropriate permissions from your domain registrar or DNS hosting provider. Confirming access beforehand can save you from unexpected delays during the setup process.

Next, document the exact SPF mechanisms required for each service. For example, Google Workspace uses include:_spf.google.com, while Mailchimp relies on include:servers.mcsv.net. It’s a good idea to consult your IT, marketing, and sales teams to ensure no email-sending source is missed. A single oversight today could lead to delivery issues in the future.

To stay organized, create a centralized document or spreadsheet. List each service, its required SPF syntax, and the team responsible for managing it. This resource will prove invaluable for future updates or troubleshooting.

Know SPF Record Limitations

SPF records come with technical constraints that can be tricky to navigate, even for seasoned administrators. Understanding these limitations upfront can help you avoid common pitfalls that might disrupt email deliverability.

First, remember that each domain can only have one SPF record. Adding multiple SPF records will cause validation errors, potentially leading to email delivery failures. If an existing SPF record is already in place, you’ll need to merge all authorized senders into a single, comprehensive record.

One of the biggest challenges is the 10 DNS lookup limit. Each include, a, mx, and redirect mechanism in your SPF record counts toward this limit, including any nested lookups within included records. For instance, include:_spf.google.com might perform three lookups internally, which are all counted against your total. Additionally, SPF records are limited to 255 characters per TXT record.

Statistics emphasize how easy it is to make mistakes. A survey of over 12 million domains found that while 56.5% had SPF records, 2.9% contained errors or undefined rules that compromised their effectiveness. These figures underscore the importance of careful planning and execution.

For organizations managing high-volume cold email campaigns, these technical constraints can quickly become overwhelming. Manual SPF record management across hundreds - or even thousands - of domains increases the likelihood of errors. Tools like Mailforge simplify this process by offering bulk DNS updates and automated SPF management, reducing human error while ensuring compliance with technical requirements.

If you’re nearing the DNS lookup limit, consider using SPF flattening tools. These tools condense complex SPF records into simpler versions while preserving all necessary authorizations. However, flattened records require more frequent updates, especially when third-party services change their IP addresses.

With this preparation in place, you’re ready to access your DNS management console and start building your SPF record.

How to Set Up SPF Records

Access Your DNS Management Console

Start by logging into your domain provider's DNS console and navigating to the DNS settings. Look for sections labeled something like "DNS Management", "Name Server Management", or "Zone File Settings." The exact terminology depends on your provider - Cloudflare, for instance, calls it "DNS", while GoDaddy uses "Manage DNS." Make sure you have administrative access since DNS changes require full permissions.

Once inside, review your existing DNS records. Pay close attention to any TXT records and check if there’s already an SPF record for your domain - remember, you can only have one SPF record per domain. If you manage multiple domains for cold email campaigns, tools like Mailforge can automate SPF setup across hundreds or even thousands of domains, helping you avoid configuration mistakes. After confirming no duplicate SPF records exist, you’re ready to create your new record.

Build Your SPF Record

Every SPF record starts with v=spf1, which specifies the version. After that, you’ll add mechanisms to define which servers are authorized to send emails on behalf of your domain. Common mechanisms include:

  • ip4: for IPv4 addresses
  • include: to authorize third-party services
  • a for your domain’s A record
  • mx for mail servers

For example, let’s say you use Google Workspace and have a dedicated sending IP address. Your SPF record might look like this:
v=spf1 ip4:203.0.113.25 include:_spf.google.com ~all

The qualifier at the end (~all or -all) determines how strictly the SPF record is enforced. Using ~all results in a soft fail - unauthorized emails are flagged as suspicious but still delivered. On the other hand, -all enforces a hard fail, rejecting unauthorized emails outright. For cold email campaigns, ~all is usually the safer choice to avoid blocking legitimate messages by mistake.

Here’s another example for a business using both Google Workspace and Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all
This record allows both Google and Mailchimp to send emails on behalf of your domain.

Keep in mind the 10 DNS lookup limit - each include, a, mx, or redirect mechanism counts toward this limit. Once your SPF record is ready, you can move on to publishing it.

Publish Your SPF Record

Now it’s time to add your SPF record to your DNS settings. In your DNS management console, create a new TXT record. Set the "Host" or "Name" field to "@" if it applies to your root domain, or specify a subdomain if needed.

Paste your SPF record into the "Value" or "TXT Data" field. Double-check the syntax to avoid errors. For the TTL (Time To Live) setting, you can leave it at the default value or set it to 3,600 seconds (1 hour).

Before saving, confirm that you’re not creating a duplicate SPF record. Having more than one SPF record for a domain violates Internet Engineering Task Force guidelines and can result in a PermError, which could cause all your emails to be rejected or marked as spam.

Once you save your changes, DNS propagation begins. While it often completes within minutes or a few hours, it can take up to 48 hours depending on your provider’s TTL settings and global DNS server updates.

"Procedures that usually took hours (setting DKIM, SPF, etc. records) for multiple domains, now take a few minutes" - Danny Goff, Director of Sales, Propeller

For those managing multiple domains, Mailforge offers a bulk DNS update feature, allowing you to modify records across numerous domains with just a few clicks - perfect for agencies and enterprises running large-scale cold email campaigns.

Once your SPF record is live, verify it using SPF lookup tools like MXToolbox or by sending test emails. Check the email headers to confirm SPF authentication is working as expected. This final step ensures everything is properly set up.

How to Test Your SPF Record

Use SPF Lookup Tools

Once your SPF record is published and DNS propagation is complete, the next step is to ensure everything is set up correctly. Tools like MXToolbox, Kitterman, or Google Admin Toolbox can help you confirm your SPF record is working as intended and identify any potential problems.

To get started, enter your domain name into one of these tools and run a search. The tool will display your SPF record exactly as it appears in your DNS settings. Check to see if the record is present, correctly formatted, and adheres to proper syntax rules. A valid SPF record will show the mechanisms you've included (like include: statements or IP addresses) along with the qualifier (~all or -all).

Pay close attention to any error messages that pop up. Common issues include:

  • Syntax errors: Mistakes in the record's format.
  • Multiple SPF records: Having more than one SPF record can cause a PermError.
  • Exceeding the DNS lookup limit: SPF records are limited to 10 DNS lookups. If your record exceeds this, you'll need to simplify it by consolidating include mechanisms or reducing references to third-party services.

Additionally, make sure your SPF record doesn't exceed the 255-character limit for TXT records. If it does, you may need to combine services or use IP ranges to stay within the limit.

Once you've verified the technical details, move on to testing how your emails are actually delivered.

Test Email Deliverability

Verifying your SPF record with lookup tools is important, but it doesn’t guarantee your emails will land in inboxes. To ensure proper email deliverability, send test emails from your domain to major providers like Gmail, Outlook, and Yahoo.

After sending a test email, open the received message and inspect the full email headers. Look for fields such as "Received-SPF" or "Authentication-Results." These will indicate whether your SPF record is functioning correctly. Here's what the results mean:

  • spf=pass: The sending IP is authorized, and your SPF setup is working.
  • spf=fail: The sending IP isn’t authorized, and the email may be rejected or marked as spam.
  • spf=softfail: The IP isn’t authorized, but the email is accepted with a warning (common with ~all).
  • spf=neutral: The SPF record doesn’t specify whether the IP is authorized.

If you see spf=fail, double-check that all your sending IPs and services are correctly listed in your SPF record. Some email providers use unexpected outbound IPs, so refer to their documentation to ensure your include statements are accurate.

Keep in mind that DNS propagation can take up to 48 hours. If you’ve recently updated your SPF record, your test results might be inconsistent during this period. Wait until propagation is complete before making any final assessments.

For businesses managing multiple domains, platforms like Mailforge simplify the process. With automated DNS setup, Mailforge ensures SPF records are configured correctly across hundreds or even thousands of domains. Its bulk DNS update feature also makes it easy to adjust and retest SPF records whenever your email infrastructure changes.

Common SPF Record Errors and Fixes

Once you've set up your initial SPF configuration, it’s crucial to address common errors that can disrupt email deliverability and impact your cold email campaigns. Here’s how to tackle some of the most frequent issues.

Fix Duplicate SPF Records

Having more than one SPF record for a single domain is a direct violation of SPF specifications. This mistake triggers a PermError, which can lead to emails being rejected or flagged as spam.

Duplicate SPF records often arise when multiple teams manage email settings without proper coordination. To check for duplicates, review your DNS management console for multiple TXT records that start with "v=spf1" on the same domain.

Solution: Combine all authorized sending mechanisms into one SPF record. For example, if you have the following conflicting records:

  • v=spf1 include:_spf.google.com ~all
  • v=spf1 ip4:192.168.1.100 include:mailgun.org -all

You should merge them into a single record like this:

v=spf1 include:_spf.google.com ip4:192.168.1.100 include:mailgun.org ~all

Make sure to choose just one policy qualifier (~all or -all) for the consolidated record. Once updated, remove any duplicate entries from your DNS settings to avoid errors.

Stay Within DNS Lookup Limits

SPF records are limited to 10 DNS lookups during validation. Exceeding this limit results in a PermError, causing SPF authentication to fail entirely.

Each include: statement in your SPF record counts as one lookup. However, these includes can trigger additional nested lookups. For instance, include:_spf.google.com might perform several hidden lookups.

How to fix it: Audit your SPF record to identify and remove redundant entries. Replace hostname-based mechanisms with direct IP addresses whenever possible. For smaller services, ask providers for their exact IP ranges and use ip4: or ip6: mechanisms instead of include: statements.

If you rely on multiple third-party services, consider consolidating them under a single provider. Some email platforms offer unified SPF mechanisms that cover multiple services, helping you stay within the 10-lookup limit.

Update SPF Records for New Sending Sources

Whenever you add a new email service, update IP addresses, or modify your infrastructure, your SPF record needs to be updated too. If you skip this step, emails sent from unlisted sources will fail SPF checks. Depending on your policy qualifier, these emails might either be flagged as spam (~all) or rejected outright (-all).

What to do: Get the exact SPF mechanism from your email service provider before making updates. Most providers share detailed SPF instructions in their documentation. After updating your SPF record, use SPF lookup tools to verify the changes and ensure you haven’t exceeded the 10-lookup limit. Keep in mind that DNS updates may take up to 48 hours to propagate fully.

For businesses managing multiple domains, platforms like Mailforge can simplify the process. Mailforge automates DNS setup and bulk updates, ensuring all SPF records are configured correctly from the start. When you add new domains or mailboxes, Mailforge automatically applies best practices, reducing the chances of manual errors.

Its bulk DNS update feature is especially helpful for large-scale operations. Instead of manually updating SPF records for hundreds or thousands of domains, you can apply changes across all domains with just a few clicks. This saves time and effort while maintaining proper email authentication across your entire infrastructure.

Next, we’ll explore strategies for managing SPF records efficiently at scale to support your cold email efforts.

Managing SPF at Scale for Cold Email

Running cold email campaigns across dozens - or even hundreds - of domains can get messy fast. Managing SPF records manually in such a setup is not just time-consuming; it’s a recipe for errors that can tank your deliverability rates. A small mistake in your SPF configuration can ripple across your entire operation, making effective management a top priority.

Handling SPF for Multiple Domains and Mailboxes

Scaling up cold email campaigns introduces challenges you simply don’t face when working with a single domain. Centralized management becomes a must when juggling hundreds or even thousands of domains at once.

The biggest challenge? Consistency. Each domain needs a properly configured SPF record, but those records also need to authorize the same sending sources. If you add a new email service or change IP addresses, every single domain’s SPF record has to be updated to maintain authentication.

To stay organized, keep a detailed inventory of all your sending services, IP addresses, and authorized sources. Regularly audit your records to catch errors early, and use templates for common SPF configurations to avoid starting from scratch every time. A study of over 12 million domains revealed that while 56.5% had SPF records, 2.9% contained errors or undefined rules that weakened their effectiveness. A streamlined approach like this not only reduces errors but also improves deliverability across your campaigns.

Automating SPF Setup with Mailforge

Mailforge

When managing SPF at scale, automation isn’t just helpful - it’s essential. This is where Mailforge steps in, automating DNS setup for SPF, DKIM, and DMARC records across all your domains.

With Mailforge, the automated DNS setup takes care of everything, following best practices so you don’t need technical expertise. Once you add domains to the platform, it automatically generates and publishes the correct SPF records. What might take hours of manual effort is reduced to just a few minutes.

Need to update SPF records across your domain portfolio? Mailforge’s bulk DNS update feature lets you make changes to hundreds - or even thousands - of domains with just a few clicks. Instead of logging into countless DNS management consoles, you can handle it all within the app. For teams scaling rapidly, Mailforge’s speed is a game-changer, with setup times under 10 minutes for new domains and mailboxes. It’s no wonder over 10,000 businesses, from small startups to Fortune 500 companies, rely on Mailforge to streamline their operations.

Combining SPF with Other Authentication Protocols

While automating SPF setup solves one piece of the puzzle, true email authentication requires layering additional protocols like DKIM and DMARC. Together, these protocols create a robust framework that boosts deliverability and safeguards your brand’s reputation.

Here’s how it works:

  • SPF verifies that emails are sent from authorized servers.
  • DKIM adds cryptographic signatures to ensure messages aren’t altered in transit.
  • DMARC ties it all together, enabling you to set policies for handling failed SPF or DKIM checks and providing detailed reporting on authentication issues.

Managing these protocols manually across multiple domains is overwhelming. Mailforge simplifies the process by automatically configuring SPF, DKIM, and DMARC for every domain, ensuring they work in harmony. For cold email campaigns, where deliverability directly impacts results, this integrated approach is essential.

DMARC’s reporting features are especially useful when working with numerous domains. They help you spot authentication issues early, so you can resolve problems before they affect your campaigns. Automated tools like Mailforge not only handle the setup but also provide ongoing monitoring, keeping your cold email infrastructure running smoothly and effectively.

Conclusion

Getting your SPF records right is a crucial step for cold email success. If you miss any part of the process - like identifying authorized sources, setting up the correct syntax, publishing to DNS, or testing - your emails could end up in spam folders instead of inboxes.

For cold email campaigns, where sender reputation is especially delicate, having properly configured SPF records is your first line of defense against deliverability problems. Without them, receiving servers can’t verify the legitimacy of your emails, making them easy targets for spam filters.

The complexity only grows when you’re managing multiple domains. Configuring SPF records manually across hundreds - or even thousands - of domains leaves plenty of room for costly errors.

That’s where automation steps in to save the day. Tools like Mailforge simplify the process, reducing hours of manual DNS work to just a few minutes. Danny Goff, Director of Sales at Propeller, highlights this efficiency:

"Procedures that usually took hours (setting DKIM, SPF, etc. records) for multiple domains, now take a few minutes."

With over 10,000 businesses relying on its platform, Mailforge automates SPF setup, minimizing human error while ensuring your records meet industry standards and fit seamlessly into your email authentication strategy.

Whether you’re managing one domain or a thousand, a solid SPF setup is non-negotiable for protecting your sender reputation and getting the most out of your cold email campaigns. Whether you choose a manual approach or an automated solution, investing in proper authentication pays off with better deliverability and stronger campaign results.

FAQs

What mistakes should I avoid when setting up SPF records for multiple domains?

When setting up SPF records for multiple domains, there are a few missteps you’ll want to avoid:

  • Hitting the DNS lookup limit: SPF records have a limit of 10 DNS lookups. Overloading your record with too many include mechanisms can cause it to fail. To avoid this, streamline your entries or use tools designed to flatten SPF records.
  • Syntax errors: Small mistakes - like missing spaces or misusing mechanisms such as include or all - can invalidate your SPF record. Always double-check your syntax before making it live.
  • Overlooking updates for all domains: If you’re managing several domains, make sure SPF records are configured correctly for each one. Skipping updates or failing to sync DNS settings across domains can lead to email deliverability problems.

Steering clear of these errors will help keep your emails out of spam folders and improve overall deliverability.

Why is setting up an SPF record important for email deliverability in cold email campaigns?

Setting up an SPF (Sender Policy Framework) record is a key step in ensuring your cold email campaigns reach their intended recipients. By verifying that your emails are sent from authorized servers, SPF reduces the likelihood of your messages being flagged as spam.

Using platforms like Mailforge, you can automate the SPF setup process. This streamlines authentication, boosts your chances of landing in the inbox, and strengthens trust with email providers - an essential factor for successful email outreach.

How can I effectively manage SPF records when adding new email services or updating IP addresses?

To keep your emails landing in inboxes and protect your sender reputation, managing your SPF records is a must - especially when you’re adding new email services or updating IP addresses. SPF (Sender Policy Framework) is a type of DNS record that tells email providers which servers are allowed to send emails on behalf of your domain.

Mailforge simplifies this process with its automated SPF setup feature. This tool helps you avoid manual mistakes, keeps your SPF records current, and ensures your emails are delivered as intended. For businesses handling large-scale email operations, Mailforge also makes managing multiple domains and mailboxes more efficient, so you can adapt to changes seamlessly without interrupting your campaigns.