SPF records explained: a setup guide for cold email

SPF (Sender Policy Framework) is one TXT record that lists the servers allowed to send mail for your domain. It is the first thing a receiver checks, and the easiest to get subtly wrong.

What the record looks like

A single TXT record on your root domain, beginning with v=spf1, listing each sender via include:, and ending with an all mechanism:

v=spf1 include:_spf.google.com ~all

~all vs -all

• ~all (softfail) — mail from unlisted servers is accepted but marked. Start here.
• -all (hardfail) — unlisted servers are rejected. Move here only once every legitimate sender is listed.

The 10-lookup limit

SPF allows at most ten DNS lookups, and every include: can chain more. Exceed ten and SPF returns permerror and fails outright. Keep your includes lean and flatten where you can.

Common mistakes

• Two SPF records. Only one v=spf1 TXT record is allowed; a second one invalidates both. Merge them into one.
• Forgetting a sender. Every service that sends as your domain needs an include.
• Jumping to -all too early. You will reject your own mail.

Verify it

Open SignalMail's Deliverability page to check SPF against live DNS, then pair it with DKIM and DMARC. All three together are what earns the inbox — see the ten-minute overview.