How do I set up an SPF record when using multiple email sending services?

Summary

Configuring SPF records for multiple email sending services requires identifying all services sending emails on behalf of your domain and creating an SPF record that includes all authorized sending sources. The SPF record applies to the 'envelope from' address, found in the 'Return-Path:' of email headers. Use the 'include:' mechanism to incorporate SPF policies of each service, paying attention to service-specific instructions (e.g., Google Workspace, Amazon SES, Office 365). It's crucial to avoid exceeding the 10 DNS lookup limit, and consider flattening the record if necessary. Regularly test the SPF record using online tools and monitor authentication reports. Best practices also include avoiding multiple SPF records, keeping the record updated, and understanding the implications of '-all' versus '~all'.

Key findings

  • Identify Sources: Identify and document all email sending services used by your domain.
  • Envelope From Address: SPF records apply to the 'envelope from' address, which can be found in the 'Return-Path:' of the email header.
  • Include Mechanism: Use the 'include:' mechanism to incorporate the SPF policies of third-party senders.
  • 10 DNS Lookup Limit: Avoid exceeding the 10 DNS lookup limit; consider flattening the record if necessary.

Key considerations

  • Service-Specific Instructions: Each service may have specific SPF record requirements (e.g., custom bounce domains).
  • Testing SPF Records: Test SPF records using online tools after any changes.
  • Authentication Reports: Monitor authentication reports to validate the SPF setup.
  • Regular Updates: Keep SPF records up-to-date to reflect changes in sending infrastructure.
  • Single SPF Record: Ensure there is only one SPF record per domain.
  • -all vs ~all: Understand the implications of using '-all' (hard fail) versus '~all' (soft fail).

What email marketers say
10Marketer opinions

When configuring SPF records for multiple email sending services, it's crucial to include all authorized sending sources in your SPF record using the 'include:' mechanism for each service. You should also identify all email sending services (ESPs) and their respective SPF includes. To avoid deliverability issues, do not exceed the 10 DNS lookup limit. It's recommended to test your SPF record using online tools to ensure validity and proper configuration. Regularly update and monitor your SPF record to reflect changes in your sending infrastructure and avoid common mistakes such as using multiple SPF records.

Key opinions

  • Include All Sources: SPF records must include all authorized sending sources using the 'include:' mechanism.
  • DNS Lookup Limit: Avoid exceeding the 10 DNS lookup limit to prevent SPF failures.
  • Test SPF Record: Always test your SPF record with online tools to ensure it's valid and properly configured.
  • Regular Updates: Regularly review and update the SPF record to reflect changes in your sending infrastructure.

Key considerations

  • Identify ESPs: Identify all email sending services (ESPs) you use and their respective SPF includes.
  • Limit Lookups: If approaching the 10 lookup limit, consider flattening your SPF record by resolving includes to IP addresses (and keeping these updated).
  • Avoid Multiple Records: Ensure you do not have multiple SPF records for a single domain.
  • Monitor Authentication: Monitor authentication reports to validate the setup and identify any potential issues.
Marketer view

Email marketer from Email Geeks shares that the SPF record lists what sources are permitted to set the domain in the 5321.From (a.k.a. return-path, envelope From, MAIL FROM, bounce) address. Include your domain only if the IP address that the domain resolves to sends email that sets the 5321.From.

May 2022 - Email Geeks
Marketer view

Email marketer from StackOverflow shares that your SPF record should include all authorized sending sources. This is achieved using the `include:` mechanism for each service. For example: `v=spf1 include:sendgrid.net include:_spf.google.com ~all`. Test your SPF record using online tools to ensure it's valid.

November 2023 - StackOverflow
Marketer view

Email marketer from MXToolbox Forum shares if you are getting close to the 10 lookup limit, flatten your SPF record using tools that resolve the includes to IP addresses. However, remember to keep these IP addresses updated regularly.

September 2021 - MXToolbox Forum
Marketer view

Email marketer from Sendgrid shares some common SPF record mistakes to avoid. Firstly, do not use multiple SPF records. Also, ensure that you do not exceed the DNS lookup limit. And keep the SPF record up to date. A well-maintained SPF record is crucial for ensuring email deliverability when using multiple email sending services.

January 2025 - Sendgrid
Marketer view

Email marketer from Quora shares it is important to regularly check your SPF record using online tools to ensure it's valid and correctly configured. This helps prevent deliverability issues and keeps your email secure.

December 2024 - Quora
Marketer view

Email marketer from SuperUser explains that avoiding long SPF records is crucial. If you have many includes, consider if some services can be consolidated or if you can use IP addresses directly (though this is less maintainable).

October 2024 - SuperUser
Marketer view

Email marketer from GlockApps explains that after setting up or modifying your SPF record, it's important to test it using tools like GlockApps' SPF record tester. This helps ensure that your record is valid and that email from all your sending services is properly authenticated.

November 2023 - GlockApps
Marketer view

Email marketer from Mailgun explains that SPF records should be carefully constructed to avoid exceeding the 10 DNS lookup limit. When using multiple services, use the `include:` mechanism wisely, and consider using a dedicated sending domain for each service to simplify SPF management. They also recommend testing your SPF record using SPF record checker tools.

November 2023 - Mailgun
Marketer view

Email marketer from EasyDMARC explains you need to identify all the email sending services (ESPs) you use and include their respective SPF includes in your SPF record. For example, if you use both SendGrid and Mailchimp, your SPF record should include both their SPF records: `v=spf1 include:sendgrid.net include:servers.mcsv.net ~all`. Ensure the record does not exceed the 10 DNS lookup limit.

November 2024 - EasyDMARC
Marketer view

Email marketer from Reddit explains to include all services using the 'include:' tag. `v=spf1 include:service1.com include:service2.net ~all`. If you have your own mail server, include its IP using 'ip4:' or 'ip6:'.

March 2023 - Reddit

What the experts say
5Expert opinions

When setting up SPF records for multiple email sending services, it's essential to identify all services sending on behalf of your domain and document them. SPF records apply to the 'envelope from' address, not the address displayed in the email client. To determine the correct domain for the SPF record, check the 'Return-Path:' line in the email headers. Each service may require a specific SPF 'include' record, especially if using custom bounce domains. Ensure that your SPF record includes all authorized sending sources using the 'include:' mechanism. Also, avoid exceeding the 10 DNS lookup limit to prevent SPF failures. After creating the record, test it, and monitor authentication reports to validate its effectiveness and regularly review and update to ensure you have accurate SPF records.

Key opinions

  • Envelope From: SPF records apply to the 'envelope from' address, which may differ from the sender address.
  • Identify Sources: Document all services sending email on behalf of your domain.
  • Return-Path: Check the 'Return-Path:' line in email headers to determine the domain for the SPF record.
  • Include Mechanism: Use the 'include:' mechanism to incorporate SPF policies of third-party senders.

Key considerations

  • Service Specifics: Different services may require specific SPF 'include' records (e.g., Google Workspace, custom bounce domains in Amazon SES/Help Scout).
  • DNS Lookups: Limit the number of DNS lookups to avoid exceeding the 10 DNS lookup limit.
  • Testing: Test the SPF record after creation.
  • Authentication Reports: Monitor authentication reports to validate and catch any misconfigurations.
  • Regular review: Regularly review and update the SPF record.
Expert view

Expert from Spamresource.com explains the critical steps for configuring SPF records when using multiple email senders. First, identify all authorized sending sources. Second, use the `include:` mechanism to incorporate the SPF policies of third-party senders. And third, limit the number of DNS lookups. Avoid exceeding the 10 DNS lookup limit to prevent SPF failures. Regularly review and update the SPF record to reflect changes in your sending infrastructure.

July 2021 - Spamresource.com
Expert view

Expert from Email Geeks explains that SPF records apply to the address in your envelope from address, NOT the address that shows up in the mail client.

January 2025 - Email Geeks
Expert view

Expert from Email Geeks explains you should identify what the envelope from domain is for each service and publish the correct records. If you’re sending from G Suite, then you absolutely do need to include the Google record. Amazon SES you don’t need to include unless you have set up a custom bounce domain in your Amazon SES instance and then you should publish the SPF include for that custom bounce domain. Likewise, with helpscout, if you’ve set up a custom bounce domain for helpscout, you should publish the SPF record for that domain.

February 2023 - Email Geeks
Expert view

Expert from Wordtothewise.com explains that you should start by documenting all the services that send emails on behalf of your domain. After having that documentation you should create a SPF record that contains ALL of the sending sources, the 'a', 'mx', and 'ptr' mechanisms are not recommended. After you have created your record, test it, and then monitor the authentication reports to validate.

June 2022 - Wordtothewise.com
Expert view

Expert from Email Geeks shares to send yourself emails from all 3 systems and do the “show original” or “show full headers” option. If you’re using google, google will show you something that looks like: You’ll also want to look in the header piece to see a line starting with “Return-Path:”. It is the domain in the “Return-Path:” line that is the domain you need to publish SPF for.

January 2023 - Email Geeks

What the documentation says
4Technical articles

When setting up an SPF record for multiple email sending services, it's essential to include the appropriate SPF records for each service you use. For Google Workspace, include `v=spf1 include:_spf.google.com ~all`. For Amazon SES, include `include:amazonses.com` (or regional endpoints/custom MAIL FROM domain SPF). For Office 365, use `v=spf1 include:spf.protection.outlook.com -all`. SPF records use specific syntax, with 'include:' designating other domains' authorization policies and 'all' dictating how to handle unmatched addresses (using '-all' for hard fail, '~all' for soft fail). These SPF records should be added as TXT records to your domain's DNS settings.

Key findings

  • Google Workspace SPF: Use `v=spf1 include:_spf.google.com ~all` for Google Workspace.
  • Amazon SES SPF: Use `include:amazonses.com` (or regional endpoints/custom MAIL FROM domain SPF) for Amazon SES.
  • Office 365 SPF: Use `v=spf1 include:spf.protection.outlook.com -all` for Office 365.
  • SPF Syntax: 'include:' designates other domains' authorization policies.

Key considerations

  • TXT Record: Ensure SPF records are added as TXT records in your domain's DNS settings.
  • Regional Endpoints: Amazon SES may require specific regional endpoints.
  • MAIL FROM Domain: Amazon SES users who utilize a custom MAIL FROM domain will need to publish an SPF record for that domain.
  • All Mechanism: Understand the implications of using '-all' (hard fail) versus '~all' (soft fail) in the SPF record.
Technical article

Documentation from Amazon Web Services shares that if you're using Amazon SES, you should include Amazon's SES servers in your SPF record. Depending on the region, you may need to include specific regional endpoints. If you're using a custom MAIL FROM domain, ensure the SPF record is published for that domain. Otherwise, the standard Amazon SES include should suffice: `include:amazonses.com`.

September 2023 - Amazon Web Services
Technical article

Documentation from Microsoft says if you're sending email through Office 365, you need to include Office 365's SPF record. The recommended SPF record is `v=spf1 include:spf.protection.outlook.com -all`. Also ensure that this record is set up as a TXT record in your domains DNS settings.

June 2022 - Microsoft
Technical article

Documentation from Google Workspace Admin Help explains that to create an SPF record for Google Workspace, you need to include Google's servers in your SPF record. The recommended SPF record is `v=spf1 include:_spf.google.com ~all`. This record should be added as a TXT record in your domain's DNS settings.

June 2022 - Google Workspace Admin Help
Technical article

Documentation from RFC Editor explains that SPF records use a specific syntax where 'include:' is a mechanism to designate other domains' authorization policies. The 'all' mechanism specifies how to handle addresses that do not match any of the preceding mechanisms, with '-all' indicating a hard fail and '~all' indicating a soft fail.

April 2023 - RFC Editor