Skip to main content
Vantyris

Email

SPF records, explained: the first line of defence against email spoofing.

Published 2026-06-06 · Last updated 2026-06-06 · Vantyris editorial

An SPF record is a TXT entry at your DNS provider listing which servers are allowed to send email from your domain. Without one, every receiving mail server treats every claim about your domain as potentially legitimate, including the ones from attackers. SPF is the cheapest piece of email security a business with a domain can have, and most domains we scan are missing it.

What this means for your business

How to fix

Add a TXT record at the apex of your domain containing your email provider's published SPF value. Make sure it ends with `-all` or `~all`.

  1. Get the SPF value from your email provider. Google Workspace: `v=spf1 include:_spf.google.com ~all`. Microsoft 365: `v=spf1 include:spf.protection.outlook.com -all`. Fastmail: `v=spf1 include:spf.messagingengine.com ?all`. Each provider documents theirs in the admin console.
  2. Add the record at your DNS provider. Log in to your domain registrar (Hover, Namecheap, Cloudflare, etc.). Add a new TXT record. Host: `@` (or your domain name itself). Value: the SPF string from step 1. TTL: leave at default. Save.
  3. If you use additional senders, add them too. Sending newsletters from Mailchimp? Add their include mechanism. Using a transactional ESP (Resend, Postmark, SendGrid)? Add theirs. SPF allows multiple includes; concatenate them with spaces. Example: `v=spf1 include:_spf.google.com include:mailgun.org ~all`.

Owner: Your DNS administrator. · Time: 15 minutes for a typical small business with one provider.

Common gotchas

How to verify the fix

Use Vantyris's free teaser scan. It surfaces your current SPF record and flags issues (multiple records, lookup overflow, missing `all` mechanism). Or check mxtoolbox.com/spf.aspx for a one-page report.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Do I need SPF if I don't send email from this domain?

Yes. Even a domain that never sends mail benefits from a strict SPF (`v=spf1 -all`) because it tells receiving servers `no one is allowed to send from this domain`, blocking spoofing.

What's the difference between ~all and -all?

`~all` (soft fail) tells the receiver 'probably not authorised, treat with suspicion'. `-all` (hard fail) says 'definitely not authorised, reject'. Start with `~all` while testing, then move to `-all`.

Why does my SPF record have so many includes?

Each external service that sends in your name needs to be included. If you use Google Workspace + Mailchimp + Stripe receipt emails + a CRM, that's four includes already. Keep an eye on the 10-lookup limit.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0