Configure SPF records to work with Google Workspace

The Sender Policy Framework (SPF) is a key DNS record used to help prevent email spoofing and ensure that your domain’s emails are sent from authorised servers. Properly configuring your SPF record can improve email deliverability and reduce the chances of your messages being marked as spam. This guide will walk you through the steps to create and update an SPF record for your domain.

Steps to Create an SPF Record for a Domain

Step 1: Log in to Your Domain Registrar’s Admin Console

  1. Log in to the administrative console of your domain provider (e.g., GoDaddy, Namecheap, or another registrar where your domain is registered).
  2. Navigate to the section where you can manage DNS records. This might be labelled as DNS Management, Zone File Settings, or Advanced DNS Settings.

Step 2: Locate the DNS Records Section

  1. Look for the area where you can edit or add DNS records for your domain.
  2. Depending on your provider, you might need to enable advanced settings to access these options.

Step 3: Create a New TXT Record for SPF

  1. In the DNS records section, add a new TXT record.
  2. For the Host or Name field, enter @ or leave it blank (check your provider’s specific requirements if unsure).

  3. In the Value or Text field, enter the following SPF record:

     v=spf1 include:_spf.google.com ~all

Step 4: Choose the Correct SPF Qualifier

  • The above SPF record uses ~all, which is a soft fail qualifier. This means that any email sent from unauthorised IP addresses will be marked as suspicious but not outright rejected.

  • If you want to strictly enforce your SPF policy, replace ~all with -all. However, using -all may result in delivery issues if not all legitimate IPs are included in the record.

      v=spf1 include:_spf.google.com -all

Important: Using -all tells email servers to reject any email not coming from the specified sources, so use this only when you're sure all legitimate servers are listed.

Step 5: Authorize Additional Mail Servers (Optional)

If you use multiple mail servers to send emails, you can add additional IP addresses to your SPF record using the ip4 or ip6 mechanisms. Insert these before the ~all or -all at the end:

  • IPv4 Address:

      v=spf1 ip4:192.168.0.1 include:_spf.google.com ~all

  • IPv6 Address:

      v=spf1 ip6:2001:0db8:85a3:0000:0000:8a2e:0370:7334 include:_spf.google.com ~all

This configuration tells email servers to authorise both the IP address and Google’s mail servers as legitimate senders.

Step 6: Save the SPF Record

Once you’ve entered the desired SPF record, save your changes. The process might vary slightly depending on your domain provider, so ensure the changes are applied successfully.

Step 7: Wait for DNS Propagation

After saving, it can take up to 48 hours for DNS changes to propagate globally. During this period, some email servers may still process the old SPF record.

Best Practices for SPF Record Management

  • Avoid Multiple SPF Records: Having more than one SPF record for a single domain can cause issues with email delivery and result in messages being marked as spam. Always combine multiple entries into a single SPF record.

  • Use the Correct Qualifier: Decide between ~all (soft fail) and -all (hard fail) based on how strictly you want to enforce SPF checks.

  • Regularly Update SPF Records: Whenever you add a new service or IP address that sends emails for your domain, update your SPF record accordingly.

  • Monitor SPF Failures: Use tools like DMARC to monitor SPF failures and ensure that legitimate emails are not getting blocked.

  • Check SPF Syntax: Use an SPF validator (e.g., MXToolbox) to ensure there are no syntax errors.

Further Notes

  • DNS Propagation: Changes to DNS records, including SPF, can take time to propagate. Wait at least 24–48 hours before testing email delivery.

  • Complex SPF Records: If your SPF record is approaching the 10 DNS lookup limit, consider subdomain delegation or using services like SPF flattening to reduce the number of lookups.

  • Contact Your Provider: If you encounter issues creating or updating an SPF record, reach out to your domain registrar’s support team for assistance. They can guide you through specific steps tailored to their platform.

By correctly configuring your SPF records, you can prevent email spoofing, improve deliverability, and maintain a secure email environment for your domain. If you have multiple email services, remember to review and refine your SPF records regularly.

Need more help? Let us know if you’d like to explore advanced SPF configurations or DMARC setup for complete email security!

raramuridesign consulting - web strategy, development, design