SPF records, explained: the first line of defence against email spoofing.
Published 2026-06-06 · Last updated 2026-06-06 · Vantyris editorial
An SPF record is a TXT entry at your DNS provider listing which servers are allowed to send email from your domain. Without one, every receiving mail server treats every claim about your domain as potentially legitimate, including the ones from attackers. SPF is the cheapest piece of email security a business with a domain can have, and most domains we scan are missing it.
What this means for your business
- Receiving mail servers check SPF on every incoming message. Without your record, they can't verify which servers are legitimately allowed to send for you, and the door stays open for spoofing.
- SPF works alongside DKIM (cryptographic signature) and DMARC (policy layer that says what to do when SPF or DKIM fails). All three together make a domain hard to impersonate.
- SPF is published as a single TXT record at the apex of your domain. It lists IP ranges or other domains allowed to send. Your email provider (Google Workspace, Microsoft 365, Fastmail, etc.) gives you the exact text.
How to fix
Add a TXT record at the apex of your domain containing your email provider's published SPF value. Make sure it ends with `-all` or `~all`.
- Get the SPF value from your email provider. Google Workspace: `v=spf1 include:_spf.google.com ~all`. Microsoft 365: `v=spf1 include:spf.protection.outlook.com -all`. Fastmail: `v=spf1 include:spf.messagingengine.com ?all`. Each provider documents theirs in the admin console.
- Add the record at your DNS provider. Log in to your domain registrar (Hover, Namecheap, Cloudflare, etc.). Add a new TXT record. Host: `@` (or your domain name itself). Value: the SPF string from step 1. TTL: leave at default. Save.
- If you use additional senders, add them too. Sending newsletters from Mailchimp? Add their include mechanism. Using a transactional ESP (Resend, Postmark, SendGrid)? Add theirs. SPF allows multiple includes; concatenate them with spaces. Example: `v=spf1 include:_spf.google.com include:mailgun.org ~all`.
Owner: Your DNS administrator. · Time: 15 minutes for a typical small business with one provider.
Common gotchas
- You can only have ONE SPF record per domain. If you have two, only one is checked, and which one is undefined. Combine them.
- SPF has a hard limit of 10 DNS lookups. If you stack too many `include:` mechanisms, your SPF starts failing. Use a SPF flattener if you hit the limit.
- Ending with `+all` means 'anyone can send for me', which is the same as having no SPF at all. Use `~all` (soft fail) during testing, then `-all` (hard fail) once you're confident.
- SPF only checks the envelope sender address (the technical `MAIL FROM`), not the `From:` header your user sees. That's why DMARC matters: DMARC enforces alignment between the two.
How to verify the fix
Use Vantyris's free teaser scan. It surfaces your current SPF record and flags issues (multiple records, lookup overflow, missing `all` mechanism). Or check mxtoolbox.com/spf.aspx for a one-page report.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A1. Firewalls — boundary protection between the internet and your services.
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Do I need SPF if I don't send email from this domain?
Yes. Even a domain that never sends mail benefits from a strict SPF (`v=spf1 -all`) because it tells receiving servers `no one is allowed to send from this domain`, blocking spoofing.
What's the difference between ~all and -all?
`~all` (soft fail) tells the receiver 'probably not authorised, treat with suspicion'. `-all` (hard fail) says 'definitely not authorised, reject'. Start with `~all` while testing, then move to `-all`.
Why does my SPF record have so many includes?
Each external service that sends in your name needs to be included. If you use Google Workspace + Mailchimp + Stripe receipt emails + a CRM, that's four includes already. Keep an eye on the 10-lookup limit.
References
- NCSC: SPF guidance NCSC
- RFC 7208 — Sender Policy Framework IETF RFC
- RFC 7208 §4.6.4 — DNS lookup limits IETF RFC
Related explainers
- What is DMARC, and why every business with a domain needs one.
- DMARC p=none does not stop phishing. Here's what to do instead.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0