How to create an SPF record without breaking existing senders

Creating SPF is not a matter of pasting the record from the newest tool you connected. Your domain gets one SPF record, so it must combine every service authorized to use that envelope domain. The safest workflow starts with an inventory, builds one policy, checks its recursive DNS cost, and tests every sender before tightening the final qualifier.

Updated July 14, 2026

Step 1 — find the SPF record you already have

Run the SPF checker on the exact domain used in your return-path. If a record exists, edit it; do not add another v=spf1 TXT value. If two records already exist, follow the multiple SPF records fix before making other changes.

Remember that subdomains are separate DNS names. example.com and news.example.com may each have one record for their own mail streams.

Step 2 — inventory authorized senders

  • Employee mailbox provider, such as Google Workspace or Microsoft 365.
  • Marketing and sales platforms.
  • Transactional email and application infrastructure.
  • Helpdesk, invoicing, ecommerce, scheduling, and form tools.
  • On-premises gateways, scanners, or fixed servers that send directly.

For each service, use its current official setup guide to find the required include: domain or IP ranges. Do not guess from the service's website hostname, and do not copy a record from another customer.

Step 3 — assemble one record

v=spf1 include:_spf.google.com include:send.example-esp.com ip4:203.0.113.10 ~all
One version marker, all authorized mechanisms, and one final all-term.
  • Start with v=spf1 exactly once.
  • Add provider includes and any literal ip4: or ip6: ranges you control.
  • Remove duplicate mechanisms and services no longer used.
  • Finish with one ~all during discovery or the deliberate qualifier your policy requires.
  • Keep the full TXT value within what your DNS host can publish; its UI may handle long-string segmentation automatically.

The SPF generator creates a syntactically valid starting value for common providers. You still own the sender inventory: a generator cannot know every application using your domain.

Step 4 — check the 10-lookup limit

SPF evaluation may trigger at most 10 DNS lookups through include, a, mx, ptr, exists, and redirect, including nested lookups. Literal ip4, ip6, and all mechanisms do not consume that budget. Count the fully expanded tree, not just the mechanisms visible in your record.

If the checker reports a PermError, remove obsolete includes, separate distinct mail streams onto subdomains, or use carefully monitored flattening. The full decision tree is in SPF too many DNS lookups.

Step 5 — publish and verify

  1. Publish the value as a TXT record on the envelope domain, usually the root unless your provider configured a return-path subdomain.
  2. Wait for the previous TTL and confirm public resolvers return exactly one SPF record.
  3. Rerun the SPF checker and confirm a valid result with no unexpected include expansion.
  4. Send a real message from every platform and confirm spf=pass in Authentication-Results.
  5. Confirm DMARC alignment as well; an SPF pass for a provider-owned domain does not protect your visible From domain.

Sources and further reading

Common questions

What type of DNS record is SPF?+

Publish SPF as a TXT record. A typical root-domain host field is `@`, though DNS dashboards label the root differently.

Should I use ~all or -all?+

Use `~all` while discovering senders. Once the inventory is complete, choose deliberately, but remember that an enforced DMARC policy is more important for visible-domain spoofing protection.

Can I add a second SPF record for a new service?+

No. Merge the new service's mechanism into the existing record. Two records at the same name cause a PermError.

How long does a new SPF record take to work?+

It becomes visible according to DNS caching and the previous TTL. Some resolvers update quickly, while others may retain the old value until its TTL expires.