What SPF records do I use?

Email can be sent from various accounts. For example:

  • Websites sending email can send email from the webserver (using an email script) or from the mail server (via SMTP).
  • If mail is sent off the webserver using SMTP, the SPF record you use is the same for your mail server.
  • If mail is sent from the webserver using an email script, you’ll need to include the web server IP address in the SPF record so the web server’s sending IP is applied as well.

The basic information needed for your domain's SPF record to permit the mail servers should be provided to you by your mail host.

How to add an SPF record

SPF records are text records. View the custom DNS article for instructions on how to add a text record to your domain.

DreamHost SPF records

The current dreamhost.com SPF information is incomplete and does not include all of DreamHost's mail servers.

However, you can use the following include mechanism in your domain's SPF record to cover all available DreamHost IP addresses:

v=spf1 include:netblocks.dreamhost.com

Google SPF records

For Google hosted mail users, the following link provides details on what to put in your domain's SPF record to permit Google’s mail servers:

For other hosts, you must contact them for details on their SPF information.

Advanced SPF

An advanced SPF record includes more than just the default mail servers: it also has information on all other servers that send mail for the domain. The following is an example of an advanced SPF record:

v=spf1 ip4:321.321.321.321 include:_spf.google.com include:shaw.ca mx ~all
Tag Description
v=spf1
Identifies this DNS record as an SPF version 1 record.
ip4:321.321.321.321
IP address of a specific server, such as your web server for scripts that send mail directly from that server. You can get your web server IP from the ‘Manage Domains’ page. View the DNS article for details.
include:_spf.google.com
Includes all of the SPF records from Google, which in this example, is where the domain's mail service is hosted.
include:shaw.ca
Includes all the SPF records for Shaw Cable in Canada, an ISP. In this example, mail from the domain is sometimes sent through the ISP's SMTP server.
mx
Includes all of the MX servers the domain uses, listed in the domain's MX DNS records.
-all
Says all other servers are not authorized, and only mail sent from the listed servers will 'pass'.

-all (dash) or ~all (tilde) or ?all

The symbol before "all" indicates how strict the SPF record is enforced.

  • ?, question mark, makes the whole record inactive, as though the domain had no SPF record at all.
  • -, dash, makes the record strict, and any mail from servers not listed will be marked "fail" and may be marked as spam or rejected entirely.
  • ~, tilde, is between the other two options in strictness. Any mail from servers not listed will be marked "softfail". While intended for testing, it is recommended to be used to avoid delivery issues as noted in this article.

The following table shows SPF information for various mail providers that are in popular use:

Provider SPF Information
Campaign Monitor
include:cmail1.com
Constant Contact
include:spf.constantcontact.com
Freshbooks
include:_spf.freshbooks.com
Google
include:_spf.google.com
Hostgator
include:websitewelcome.com
MailChimp
include:servers.mcsv.net
Microsoft/Hotmail
N/A (uses SenderID)
Shaw Communications Ltd.
include:shaw.ca
Telus
include:telus.net

Testing your SPF record

There are a few ways to test your SPF record before and after creating it:

A note about the envelope sender

When SPF checks are handled by the recipient host, the validation is done on the envelope sender, and not on the actual header details. Information regarding the difference between the 'envelope' sender and the actual 'from' header details is outlined here:

Troubleshooting

You may see the following error after setting up your SPF record.

550 SPF:69.163.253.135 is not allowed to send mail from $domain.tld (in reply to RCPT TO command)

This usually means that your SPF record is not configure properly. You must specify a permitted sender as shown in the section above titled 'DreamHost SPF records'. Make sure to add the netblocks address as shown: 

v=spf1 include:netblocks.dreamhost.com

See also

Did this article answer your questions?

Article last updated .