BounceProtect

Clean your email lists before you send

Back to Learn
Domain Signals

How to create an SPF record for your domain

A step-by-step guide to building and publishing a valid SPF record. Covers how to include multiple email providers, common mistakes to avoid, and how to verify it is working.

What you need before you start

Before generating your SPF record, you need to know all the services that send email from your domain. This typically includes your primary email provider (Google Workspace, Microsoft 365 etc.), your marketing platform (Mailchimp, HubSpot, Klaviyo), your transactional email provider (SendGrid, Mailgun, Amazon SES), and any helpdesk or CRM tools that send email on your behalf.

Missing a service from your SPF record does not immediately cause those emails to fail — SPF uses a soft fail by default — but it is best practice to include every legitimate sender.

Step 1 — List your sending services

Write down every platform that sends email using your domain. For each one, find the SPF include directive in their documentation. Common examples:

  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • Mailchimp: include:servers.mcsv.net
  • SendGrid: include:sendgrid.net
  • Mailgun: include:mailgun.org
  • HubSpot: include:hubspot.com
  • Amazon SES: include:amazonses.com

Step 2 — Build the record

Use the BounceProtect SPF Generator at bounceprotect.com/tools/spf-generator to select your providers and generate the record automatically. Or build it manually following this structure:

v=spf1 [includes] [ip4/ip6 addresses] [policy]

For example: v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.1 ~all

Step 3 — Check the lookup count

SPF allows a maximum of 10 DNS lookups per validation. Each include directive counts as one lookup. If you exceed 10, SPF validation fails permanently — called an SPF permerror. If you have many providers, use an SPF flattening service to reduce the lookup count.

Step 4 — Publish the record

Log in to your domain registrar or DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53). Add a new TXT record:

  • Name: @ (or your root domain)
  • Value: paste the generated SPF record
  • TTL: 3600 (1 hour) is a reasonable default

You can only have one SPF record per domain. If one already exists, edit it rather than adding a second one.

Step 5 — Verify it is working

After publishing, wait 30 to 60 minutes for DNS propagation. Then use the BounceProtect SPF Checker at bounceprotect.com/tools/spf-checker to confirm the record is live and valid.

Choosing ~all vs -all

Start with ~all (soft fail). This marks unauthorised senders as suspicious without rejecting them, giving you time to make sure you have included all legitimate senders. Once you are confident, you can move to -all (hard fail) for stronger protection.

Ready to validate your email list?

Start free and check your first emails with full validation signals and SMTP verification.

More in Domain Signals

What does MX Found mean?What do SPF and DMARC mean?What is a Catch-All Domain?