Sender Policy Framework (SPF) is an email authentication method that specifies the mail servers authorized to send email for your domain. SPF helps protect your domain from spoofing, and helps ensure that your messages are delivered correctly. Mail servers that get mail from your domain use SPF to verify that messages that appear to come from your domain actually are from your domain.
- SPF help prevents spoofing—Spammers can forge your domain or organization to send fake messages that appear to come from your organization. This is called spoofing. Spoofed messages can be used for malicious purposes, for example to communicate false information, to send out harmful software, or to trick people into giving out sensitive information. SPF helps receiving servers verify that mail sent from your domain is actually from your organization, and is sent by a mail server authorized by you.
- SPF helps deliver messages to recipients’ inboxes—SPF helps prevent messages from your domain from being delivered to spam. If your domain doesn’t use SPF, receiving mail servers can’t verify that messages appearing to be from your domain actually are from you. Receiving servers might send valid messages to recipients’ spam folders, or might reject valid messages.
Note: If you bought your domain from a Google partner when you signed up for Google Workspace, you might not need to set up SPF records. Check if SPF is one of the Settings managed by your domain host.
Best practices for email authentication
We recommend you always set up these email authentication methods for your domain:
- SPF helps servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
- DKIM adds a digital signature to every message. This lets receiving servers verify that messages aren’t forged, and weren’t changed during transit.
- DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.
For detailed steps, go to Help prevent spoofing, phishing, and spam.
Step 1: Create your TXT record for SPF
A TXT record for SPF defines the mail servers that are allowed to send mail for your domain.
A single domain can have only one TXT record for SPF. However, the TXT record for a domain can specify multiple servers and domains that are allowed to send mail for the domain.
TXT record contents
If all email from your organization is sent from Google Workspace, use this line of text for your TXT record:
v=spf1 include:_spf.google.com ~all
Important: If you send mail in one or more of these ways in addition to Google Workspace, you must create a custom TXT record for SPF:
- You send mail from other servers.
- You use a third-party mail provider.
- Your website uses a service that generates automatic emails, for example you have a “Contact us” form.
v=spf1 ip4:192.168.0.1/16 include:_spf.google.com include:sparkpostmail.com ~all
Create your TXT record using the information in Server information for your TXT record and TXT record format.
Step 2. Enable SPF for your domain
Enable SPF at your domain provider by adding a DNS TXT record for SPF.
- The field names in Step 4 below might be different for your provider. DNS TXT record field names can vary slightly from provider to provider.
- If your organization or domain sends all email from Google Workspace, use the TXT record value shown in Step 4 below. If you created a different TXT record, enter that value instead.
To enable SPF, update the DNS TXT record for SPF at your domain provider.
- Get the text file or line of text that defines your TXT record.
- Sign in to the management console for your domain host. If you’re not sure who your domain host is, follow the steps in Find your domain provider.
- Locate the page where you update TXT records for your domain.
- Add a new TXT record for your Google Workspace mail servers: