Creating an SPF TXT record
A common ploy among email spammers is to forge the sender's address (spoof) in an email. They will generate an email from their own servers while using your domain as the sending email. The Sender Policy Framework (SPF) attempts to mitigate this attempt at forgery by giving the actual domain owners a way to specify which email sources are legitimate for their domains and which ones aren’t.
You can add an SPF record to your Domain Name System (DNS) zone as a text (TXT) record. This SPF record will be associated with your specific domain and tells which mail server or servers the domain is authorized to use to send email.
Considerations for setting the SPF
To correctly set the SPF for your domain, you will want to answer the following questions:
- From what server or servers will email from the domain originate?
- How do you want illegitimate email to be handled?
Create an SPF rule
This example assumes that you have the following considerations for your email on a specific domain:
- The authorized servers are your cloud server (that is, the incoming mail exchange (MX) details also send mail).
- No other servers are authorized.
In this scenario, you would simply create the following rule and add it as a TXT record:
v=spf1 mx include:\_spf.example.com -all
The following items show how each section of the record is defined:
v=spf1: Sets the SPF version that is used.
mx: Allows the domain’s MX details to send an email.
include:_spf.example.com: Includes example mail servers as authorized servers.
-all: Indicates that servers that are not listed previously are not authorized to send email. If an unauthorized server does send email, action is taken according to the receiving mail server’s own policy. For example, the email may be deleted, rejected, or marked as spam.
About the "all" setting
all setting is an important detail of the record and has the following basic iterations:
-all: Any server that is not previously listed is not authorized to send email.
~all: If mail is received from a server that is not previously listed, it is marked as a soft fail, which allows the email to be scrutinized further.
+all: Allows any server to send email from your domain.
If you purchased your domain from a Google partner (GoDaddy.com, eNom.com, and DomainDiscount24.com) when you signed up for G Suite, it's possible you may not need to do this. For details, see Settings managed by your domain host.
How to add an SPF TXT record to your domain host
Your domain host keeps text settings (called DNS records) that direct web traffic to your domain. An SPF TXT record lists the mail servers that can send email from your domain. If a message is sent from a server that's not in the record, the recipient's server might consider it spam, delete, or reject the email as mentioned above.
Note: A domain can only have one SPF record, but your record can list multiple servers. For details, see Add multiple servers to an SPF record.
- Sign in to your domain account at your domain host
- Go to the page for updating your domain's DNS records.
This page might be called something like: DNS management, name server management, or advanced settings.
- Find your TXT records and check if your domain has an existing SPF record.
The SPF record starts with "v=spf1".
- If your domain already has an SPF record, remove it. If not, skip to step 5.
- Create a TXT record with these values:Name/Host/Alias—Enter @ or leave blank.
Other DNS records for your domain might indicate the correct entry.Time to Live (TTL)—Enter 3600 or leave the default.Value/Answer/Destination
- An example could look like this if you were doing this for a google.com: v=spf1 include:_spf.google.com ~all
- Save the record.
All domain providers should have instructions with details on how to create an SPF record specifically for their platform.
Along with SPF, we recommend setting up the following:
- DomainKeys Identified Mail (DKIM) - DKIM verifies that message content is authentic and not changed.
- Domain-based Message Authentication, Reporting & Conformance (DMARC) - DMARC specifies how your domain handles suspicious incoming email