Fresh domains have zero email reputation. Every email you send looks suspicious to Gmail, Outlook, and pretty much every mail server out there.
SPF fixes that.
What SPF actually does
SPF stands for Sender Policy Framework. It's a TXT record in your DNS that answers one question: "Which servers are allowed to send email for this domain?"
When someone receives an email from your domain, their mail server checks your SPF record. If the sending server matches what you've listed, the email passes. If not, it gets flagged or rejected.
No SPF record at all? That's basically telling mail servers "I have no idea who's sending email for my domain." Not a great look.
The anatomy of an SPF record
Here's a typical SPF record:
v=spf1 include:_spf.google.com include:amazonses.com ~all
Breaking it down:
v=spf1 declares this is an SPF record (version 1, the only version that matters).
include:_spf.google.com means "Google Workspace can send mail for me."
include:amazonses.com means "Amazon SES can also send mail for me."
~all is the policy for everything else. The tilde means "soft fail" which marks unauthorized senders as suspicious but doesn't outright reject them. You can use -all (hard fail) for stricter enforcement.
Common include values
Depending on what services send email for your domain:
Google Workspace: include:_spf.google.com
Microsoft 365: include:spf.protection.outlook.com
SendGrid: include:sendgrid.net
Mailchimp: include:servers.mcsv.net
Amazon SES: include:amazonses.com
Stack them as needed. Just don't exceed 10 DNS lookups total (SPF has a lookup limit).
Adding it to your domain
- Open your domain registrar's DNS settings
- Create a new TXT record
- Set the host to
@(or leave blank, depending on your registrar) - Paste your SPF string as the value
- Save and wait for propagation (usually under an hour)
One record per domain. If you already have an SPF record, edit it instead of creating a second one.
Verifying it works
Quick terminal check:
dig TXT yourdomain.com +short | grep spf
Or use MXToolbox's SPF lookup if you prefer a GUI.
Why this matters for small sites
You might think SPF is only for companies sending thousands of emails. It's not.
If your site has a contact form that emails you when someone submits it, SPF affects whether those notifications reach your inbox. Same for password resets, order confirmations, or any transactional email.
I ignored this for weeks on a side project. Contact form submissions were going straight to spam. Five minutes of DNS configuration fixed it permanently.
SPF alone isn't enough
SPF verifies the sending server, but it doesn't verify the "From" address users actually see. That's where DMARC comes in. But SPF is the foundation. Get this right first.
Already set up SPF? You might want to look into DMARC next. That's a whole other rabbit hole.
Using a transactional email service? Check their docs for the exact SPF include value. Most have it on their setup page.
Top comments (0)