SPF record

Per RFC 7208

Sender Policy Framework with lookup-counter warning (limit 10 per RFC 7208 § 4.6.4).

What is this, and when do I need it?

What is this?

SPF (Sender Policy Framework, RFC 7208) is a list of IP addresses and mail providers authorised to send mail on behalf of your domain. The receiving mail server looks up the sending IP when a message arrives: is it in your SPF record? If not, SPF fails - and that feeds into the DMARC verdict.

SPF alone does not block any mail (it only signals). Only together with DMARC does it gain enforcement power.

When do I need it?

As soon as you send mail - your own mail server, a newsletter provider, a CRM tool, a ticket system. Each of those sources must appear in SPF, otherwise their mail lands in spam folders or gets rejected under strict DMARC policies.

Important: every entry like include: or a: costs one DNS lookup. The limit is 10 (RFC 7208 §4.6.4). If you have many providers, it is sensible to prune old tools or use direct ip4: blocks instead of includes.

Every term describes a source allowed to send mail for the domain. Qualifier decides how the receiver reacts (pass/fail/softfail/neutral). Mechanism describes how the source is identified (IP block, A/MX record, another SPF domain via include, ...). Every source other than ip4/ip6 costs one DNS lookup (limit 10).

Lookup counter: 1 / 10 per RFC 7208 § 4.6.4

TXT record on the apex domain per RFC 7208
v=spf1 include:_spf.google.com ip4:192.0.2.0/24 -all

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

Publish the record as TXT on the apex domain itself (host=@, content=the value above). Subdomains do not inherit SPF - every sending subdomain needs its own record (a wildcard TXT does not inherit either).

When the lookup counter exceeds 10, mailbox providers respond with PermError and treat the record as absent. Fix: flatten (resolve include into ip4/ip6) or consolidate include sources.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.

Inspect an existing SPF record

Reads the TXT record of the domain and validates SPF against RFC 7208 (lookups, mechanisms, all action).

Try with:

Server path: this inspection does NOT run browser-local. We fetch the DNS record or HTTPS response via our server. We do not log the queried domain or the result. 12 requests per minute per IPv4 address or IPv6 /64 subnet.