SPF Record Examples: Real-World Records for Every Scenario
Practical SPF record examples for common setups including Google Workspace, Microsoft 365, SendGrid, and multi-provider configurations.
Last updated: 2026-04-17
Looking at real SPF records is the fastest way to understand how they work. This guide walks through practical examples for the most common email setups, from simple single-provider configurations to complex multi-service records. For the full syntax reference, see our SPF syntax guide, or start with our complete SPF guide for a comprehensive overview.
Each example includes the full record, an explanation of what it does, and the approximate DNS lookup count — because staying under the 10 DNS lookup limit as required by RFC 7208 is critical.
1. Single Provider: Google Workspace Only
v=spf1 include:_spf.google.com ~all
What it does: Authorizes Google Workspace mail servers to send email for your domain. Everything else gets a soft fail.
DNS lookups: ~4
This is the most common starting point for small businesses using Google Workspace. The ~all at the end means unauthorized servers get a soft fail — the email is marked as suspicious but usually still delivered. Once you're confident everything is working, you can switch to -all for strict enforcement.
If you need step-by-step setup help, see our SPF for Google Workspace guide.
2. Single Provider: Microsoft 365
v=spf1 include:spf.protection.outlook.com ~all
What it does: Authorizes Microsoft 365 (Exchange Online) servers to send email for your domain.
DNS lookups: ~3
This is the standard SPF record for businesses using Microsoft 365 for email. Note the include domain is spf.protection.outlook.com — not outlook.com or microsoft.com. See our full SPF for Microsoft 365 guide for setup details.
3. Two Providers: Google Workspace + SendGrid
v=spf1 include:_spf.google.com include:sendgrid.net ~all
What it does: Authorizes both Google Workspace (for regular business email) and SendGrid (for transactional or marketing email).
DNS lookups: ~6
This is a typical setup for businesses that use Google Workspace for employee email and SendGrid for automated emails like order confirmations, password resets, or newsletters. The order of the include statements doesn't matter.
4. Three Providers: Google + Marketing + Transactional
v=spf1 include:_spf.google.com include:spf.mandrillapp.com include:sendgrid.net ~all
What it does: Authorizes Google Workspace, Mailchimp/Mandrill (marketing emails), and SendGrid (transactional emails).
DNS lookups: ~8
This is where things start getting tight on the lookup limit. Three email services plus their nested lookups can push you close to the 10-lookup ceiling. Before adding another service, check your actual lookup count with the tool above.
Watch your lookup count
With three or more providers, you're likely using 7-9 of your 10 allowed DNS lookups. Adding one more service could push you over the limit and break SPF entirely. Always check before adding.
5. IP-Based: Specific Server IPs
v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:_spf.google.com ~all
What it does: Authorizes two specific IP addresses (perhaps your own mail server or application server) plus Google Workspace.
DNS lookups: ~4
The ip4 mechanism doesn't count toward the DNS lookup limit because there's no DNS query needed — the IP address is right there in the record. This makes IP-based entries useful when you need to save lookups. However, if those IP addresses ever change, you need to update the record manually.
6. No-Send Domain
v=spf1 -all
What it does: Declares that this domain sends no email at all. Every server is unauthorized.
DNS lookups: 0
This is essential for domains that don't send email — parked domains, redirect domains, or domains used only for a website. Google recommends this approach for non-sending domains. Without this record, spammers can spoof your domain more easily. The hard fail (-all) tells receiving servers to reject any email claiming to come from this domain.
Protect all your domains
Even if you never send email from a domain, you should publish an SPF record. Domains without SPF records are common targets for email spoofing. A simple v=spf1 -all takes 30 seconds to set up and protects your brand.
7. Subdomain Setup
v=spf1 include:sendgrid.net -all
Published on: mail.yourdomain.com (as a TXT record)
What it does: Authorizes SendGrid to send email from the subdomain mail.yourdomain.com, while the root domain can have its own separate SPF record.
DNS lookups: ~2
Splitting email by subdomain is a smart strategy when you're hitting the lookup limit on your main domain. Marketing emails go from mail.yourdomain.com, transactional from notify.yourdomain.com, and corporate email from yourdomain.com. Each subdomain gets its own 10-lookup budget.
8. Using the Redirect Modifier
v=spf1 redirect=_spf.yourdomain.com
What it does: Instead of defining SPF rules directly, it redirects evaluation to the SPF record published at _spf.yourdomain.com.
DNS lookups: 1 (plus whatever the target record uses)
The redirect modifier is useful when multiple domains should share the same SPF policy. You maintain one SPF record at a central location and point other domains to it. Per RFC 7208, redirect is processed only if no other mechanisms match — it's different from include.
9. Near the Lookup Limit
v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net include:spf.mandrillapp.com ~all
What it does: Authorizes Google Workspace, Microsoft 365, SendGrid, and Mailchimp/Mandrill.
DNS lookups: ~10 (right at the limit)
This record is technically valid but dangerously close to the limit. If any of these providers add a nested include to their own SPF records, you could silently exceed 10 lookups and start getting PermError failures. If you're in this situation, consider using SPF flattening or splitting email streams across subdomains.
10. IP Range with CIDR Notation
v=spf1 ip4:198.51.100.0/24 ip4:203.0.113.0/24 include:_spf.google.com ~all
What it does: Authorizes two entire IP ranges (256 addresses each) plus Google Workspace.
DNS lookups: ~4
CIDR notation (/24) lets you authorize a range of IP addresses in a single entry. This is common when your email infrastructure uses a block of IPs. Like individual ip4 entries, ranges don't count toward the lookup limit.
How to Choose the Right Structure
Not sure which example matches your situation? Here's a quick guide:
| Your Situation | Recommended Approach |
|---|---|
| One email provider | Single include (Examples 1 or 2) |
| Two email services | Two includes (Example 3) |
| Three+ services | Multiple includes, monitor lookup count (Example 4) |
| Own mail server with static IPs | IP-based entries (Example 5) |
| Domain that never sends email | No-send record (Example 6) |
| Hitting the 10 lookup limit | Subdomain splitting (Example 7) or flattening |
| Multiple domains, same policy | Redirect modifier (Example 8) |
Need help building your SPF record? SPF Creator generates the correct syntax based on your email services. For a deeper dive into SPF syntax, check out How SPF Works.
Verify Your SPF Record
After creating or updating your SPF record, always verify it. Common issues include syntax errors, duplicate records, and exceeding the lookup limit. Use the checker above or monitor all your email authentication records with the Email Deliverability Suite.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Google Workspace SPF Setup — Google's SPF configuration guide
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring