No SPF Record Found
Your domain doesn't have an SPF record, which means anyone can send email that appears to come from your domain. Here's how to create your first SPF record to protect against spoofing.
What it means to have no SPF record
SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which servers are authorized to send email on behalf of your domain. Without an SPF record, there is no way for receiving servers to distinguish between legitimate email from your domain and forged email from attackers.
When a receiving server encounters an email from a domain with no SPF record, the SPF check returns a result of "none." This means no SPF-based decision can be made, and the email is treated as if it could be legitimate. Major email providers like Google, Microsoft, and Yahoo increasingly require SPF records and may penalize domains that lack them.
Security risks
Not having an SPF record exposes your domain and your brand to several serious threats:
Email spoofing
Anyone can forge emails that appear to come from your domain. Recipients and their mail servers have no way to detect the forgery through SPF.
Phishing campaigns
Attackers can send convincing phishing emails using your domain name, tricking recipients into revealing passwords, financial information, or downloading malware.
Deliverability problems
Major providers like Gmail, Outlook, and Yahoo increasingly require SPF. Emails from domains without SPF are more likely to be flagged as spam or rejected.
Brand reputation damage
If attackers use your domain for spam or phishing, your domain's reputation with email providers will suffer. This affects the deliverability of your legitimate emails.
How to create your first SPF record
Creating an SPF record involves identifying your email senders, building the record, and adding it to your DNS. Follow these steps:
Identify all your email senders
Make a complete list of every service and server that sends email from your domain. Common senders include:
- Email provider — Google Workspace, Microsoft 365, Zoho Mail, etc.
- Marketing platforms — Mailchimp, Constant Contact, HubSpot, etc.
- Transactional email — SendGrid, Amazon SES, Postmark, Mailgun, etc.
- CRM systems — Salesforce, HubSpot CRM, etc.
- Helpdesk tools — Zendesk, Freshdesk, Intercom, etc.
- Custom applications — Your own servers or applications that send email
Find each service's SPF include value
Each email service provider publishes their SPF include value in their documentation. Search for "[service name] SPF record" to find it. Common values are listed in the provider examples below.
Build your SPF record
Combine all your senders into a single SPF record. Every SPF record starts with
v=spf1 and ends with -all. In between, list each
authorized sender using include: or ip4:/ip6:
mechanisms.
v=spf1 [sender1] [sender2] [sender3] -all
Add the TXT record to your DNS
Log into your DNS provider and add a new TXT record. Set the host/name to @
(or your domain name) and paste your SPF record as the value. See the DNS section
below for detailed instructions.
Verify and monitor
After adding the record, verify it using Domain Guarddog or command-line tools. Set up DMARC with reporting to monitor SPF pass/fail rates and catch any legitimate senders you may have missed.
Provider-specific examples
Choose the example that matches your email setup. If you use multiple services, combine their
include: values into one record.
Google Workspace
If you use Gmail through Google Workspace for your business email:
v=spf1 include:_spf.google.com -all
Microsoft 365
If you use Outlook through Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
Amazon SES
If you send transactional email through Amazon Simple Email Service:
v=spf1 include:amazonses.com -all
Generic (custom mail server)
If you run your own mail server, use your server's IP address directly:
v=spf1 ip4:203.0.113.10 -all
Replace 203.0.113.10 with your actual mail server's IP address. You can also use CIDR notation for IP ranges: ip4:203.0.113.0/24.
Google Workspace + SendGrid
If you use Google Workspace for email and SendGrid for marketing or transactional email:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Microsoft 365 + Amazon SES + Mailchimp
If you use Microsoft 365, Amazon SES, and Mailchimp:
v=spf1 include:spf.protection.outlook.com include:amazonses.com include:servers.mcsv.net -all
Domain that doesn't send email
If your domain doesn't send any email at all, you should still publish an SPF record to prevent spoofing:
v=spf1 -all
This tells receiving servers that no server is authorized to send email from this domain, and all emails should be rejected.
include counts as at least 1 lookup (plus any nested lookups within the
included record). ip4 and ip6 do not count. If you have many
services, consider using subdomains for different sending purposes — each subdomain
gets its own 10-lookup budget.
How to add a TXT record in DNS
The exact steps vary by DNS provider, but the general process is the same. Here's how to add your SPF TXT record:
Log into your DNS provider
Go to your domain registrar or DNS hosting provider's control panel. Common providers include Cloudflare, GoDaddy, Namecheap, Route 53 (AWS), Google Domains, and DigitalOcean.
Navigate to DNS management
Find the DNS management or DNS records section for your domain. This is sometimes labeled "DNS Zone," "DNS Settings," or "Manage DNS."
Add a new TXT record
Click "Add Record" or similar and fill in the following fields:
| Field | Value |
|---|---|
| Type | TXT |
| Host / Name | @ (or leave blank, depending on provider) |
| Value / Content | Your SPF record (e.g., v=spf1 include:_spf.google.com -all) |
| TTL | 3600 (1 hour) or your provider's default |
Save the record
Click "Save," "Add Record," or "Create" to publish the record. DNS changes typically propagate within a few hours, though full propagation can take up to 48 hours.
How to verify it's working
After adding your SPF record, verify that it's published correctly and that your emails are passing SPF checks:
Check your DNS record
Use Domain Guarddog to scan your domain and verify that the SPF record is detected and correctly formatted. You can also use command-line tools:
dig TXT yourdomain.com +short
or on Windows:
nslookup -type=TXT yourdomain.com
You should see your SPF record in the output, starting with v=spf1.
Send a test email
Send an email from your domain to a Gmail or Outlook account. Open the received email and view the full message headers (in Gmail: three-dot menu → "Show original").
Check the Authentication-Results header
Look for the Authentication-Results header in the email headers. You
should see spf=pass, which confirms your SPF record is working correctly.
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 203.0.113.10 as permitted sender)
Set up DMARC for ongoing monitoring
Once SPF is working, set up a DMARC record with reporting to receive ongoing aggregate reports about SPF pass/fail rates. This helps you detect unauthorized use of your domain and catch any legitimate senders you may have missed.
For a comprehensive overview of SPF, including all mechanisms, qualifiers, and common mistakes, see our complete guide to SPF.
Create your SPF record and let us guard it
Domain Guarddog monitors your SPF, DKIM, and DMARC configuration and alerts you to issues before they impact your email deliverability.
Get Started Free