How to set up SPF Record

Environment: cloud
• 5 minutes to read
 • 5 minutes to read

Before creating the SPF record for your domain, it is important to find out what the server address for the mail service to be authorized (which is going to be permitted to send emails on your behalf).

In this tutorial, the record will be set up for Google Apps. We will use:

  • Mailgun as our mail service (the email service to use to send the email - permitted to send email on behalf of your domain).
  • Google Workspace domain email address to "send as" (your 'domain' as the sending email, in other words, what you see in 'from' address in your mailings and email).
Note

This Google account's domain is hosted by Enom. Your domain settings and DNS may differ. Please contact your DNS support team for assistance.

How to create DNS records for Microsoft 365 when you manage your DNS records:

You can follow the general instructions from Microsoft for creating DNS records for Microsoft 365.

Open the domain settings for the Google domain

  1. Log in to Google with your Google Administrators account, and open your Google Admin section.

    Google Admin -screenshot

  2. Open Domains.

    Domains -screenshot

    • The icon for opening Domains may be hidden by default and is then found under More controls.

    Add/remove domains -screenshot

  3. Under Domains, open Add/remove domains.

    Advanced DNS settings -screenshot

  4. Click Advanced DNS settings to see your details.

    DNS details -screenshot

  5. Click Sign in to DNS console to open the DNS console window. You may have to sign into this DNS console with a separate DNS account.

Add the SPF record

  1. Go to Host Records in the DNS console. The existing SPF record for your Google account is there by default.

    x -screenshot

  2. We want to add _spf.online.superoffice.com which contains correct records for both Mailgun clusters (EU and US). Since there only should be one SPF record - we need to combine the existing one with the new one. The actual TXT record to add is "v=spf1 include:_spf.online.superoffice.com ~all".

    1. Click Edit. Update the existing record (text field) with the new combined record.

      x -screenshot

    2. Click Save to update the information.

      x -screenshot

Note

Once you’ve added the records and they’ve propagated, it can take 24-48 hours for DNS changes to propagate.

Test a new SPF record

There are several tools available online to test your SPF record. Here we use MX Toolbox.

  1. Open the SPF tool.

  2. Add your domain (the one that you are going to send our mailings as) and click SPF Record Lookup.

    x -screenshot

  3. The result should show that _spf.online.superoffice.com is included and pass the test for allow.

What’s the difference between ~all and -all?

Given many receivers are not actively bouncing mail based on SPF pass/fail, there isn’t a strong argument for either -all or ~all in SPF records. For a while, Hotmail was advising that senders who published a -all record would have better delivery. This led to -all became a de-facto standard for a lot of ESPs and bulk senders. More recently, there does not seem to be any benefit to publishing -all even at Hotmail (Outlook.com, live.com, and similar).

What should I publish?

We recommend "~all" (soft fail if no matches) vs "-all" (hard fail if no matches) as a conservative measure. A soft mail means that the message will be tagged with a header documenting the failure, but will still be accepted. If you prefer a hard failure, ie "-all", then feel free to use that instead. There’s not a huge benefit to publishing -all and sometimes mail gets forwarded around. The one time we recommend an -all record is when a domain is getting forged into spam. Domain forgery can cause a lot of bounces. The number of bounces can be bad enough to take down a mail server, particularly those with a small user base. Many ISPs will check SPF before sending back a bounce and so an -all record can decrease the amount of blowback the domain owner has to deal with.