Suped

How do I set up an SPF record when using multiple email sending services?

Summary

Configuring SPF records for multiple email sending services requires identifying all services sending emails on behalf of your domain and creating an SPF record that includes all authorized sending sources. The SPF record applies to the 'envelope from' address, found in the 'Return-Path:' of email headers. Use the 'include:' mechanism to incorporate SPF policies of each service, paying attention to service-specific instructions (e.g., Google Workspace, Amazon SES, Office 365). It's crucial to avoid exceeding the 10 DNS lookup limit, and consider flattening the record if necessary. Regularly test the SPF record using online tools and monitor authentication reports. Best practices also include avoiding multiple SPF records, keeping the record updated, and understanding the implications of '-all' versus '~all'.

Key findings

  • Identify Sources: Identify and document all email sending services used by your domain.
  • Envelope From Address: SPF records apply to the 'envelope from' address, which can be found in the 'Return-Path:' of the email header.
  • Include Mechanism: Use the 'include:' mechanism to incorporate the SPF policies of third-party senders.
  • 10 DNS Lookup Limit: Avoid exceeding the 10 DNS lookup limit; consider flattening the record if necessary.

Key considerations

  • Service-Specific Instructions: Each service may have specific SPF record requirements (e.g., custom bounce domains).
  • Testing SPF Records: Test SPF records using online tools after any changes.
  • Authentication Reports: Monitor authentication reports to validate the SPF setup.
  • Regular Updates: Keep SPF records up-to-date to reflect changes in sending infrastructure.
  • Single SPF Record: Ensure there is only one SPF record per domain.
  • -all vs ~all: Understand the implications of using '-all' (hard fail) versus '~all' (soft fail).

What email marketers say

10 marketer opinions

When configuring SPF records for multiple email sending services, it's crucial to include all authorized sending sources in your SPF record using the 'include:' mechanism for each service. You should also identify all email sending services (ESPs) and their respective SPF includes. To avoid deliverability issues, do not exceed the 10 DNS lookup limit. It's recommended to test your SPF record using online tools to ensure validity and proper configuration. Regularly update and monitor your SPF record to reflect changes in your sending infrastructure and avoid common mistakes such as using multiple SPF records.

Key opinions

  • Include All Sources: SPF records must include all authorized sending sources using the 'include:' mechanism.
  • DNS Lookup Limit: Avoid exceeding the 10 DNS lookup limit to prevent SPF failures.
  • Test SPF Record: Always test your SPF record with online tools to ensure it's valid and properly configured.
  • Regular Updates: Regularly review and update the SPF record to reflect changes in your sending infrastructure.

Key considerations

  • Identify ESPs: Identify all email sending services (ESPs) you use and their respective SPF includes.
  • Limit Lookups: If approaching the 10 lookup limit, consider flattening your SPF record by resolving includes to IP addresses (and keeping these updated).
  • Avoid Multiple Records: Ensure you do not have multiple SPF records for a single domain.
  • Monitor Authentication: Monitor authentication reports to validate the setup and identify any potential issues.

Marketer view

Email marketer from Email Geeks shares that the SPF record lists what sources are permitted to set the domain in the 5321.From (a.k.a. return-path, envelope From, MAIL FROM, bounce) address. Include your domain only if the IP address that the domain resolves to sends email that sets the 5321.From.

29 Jun 2023 - Email Geeks

Marketer view

Email marketer from StackOverflow shares that your SPF record should include all authorized sending sources. This is achieved using the `include:` mechanism for each service. For example: `v=spf1 include:sendgrid.net include:_spf.google.com ~all`. Test your SPF record using online tools to ensure it's valid.

26 Mar 2025 - StackOverflow

What the experts say

5 expert opinions

When setting up SPF records for multiple email sending services, it's essential to identify all services sending on behalf of your domain and document them. SPF records apply to the 'envelope from' address, not the address displayed in the email client. To determine the correct domain for the SPF record, check the 'Return-Path:' line in the email headers. Each service may require a specific SPF 'include' record, especially if using custom bounce domains. Ensure that your SPF record includes all authorized sending sources using the 'include:' mechanism. Also, avoid exceeding the 10 DNS lookup limit to prevent SPF failures. After creating the record, test it, and monitor authentication reports to validate its effectiveness and regularly review and update to ensure you have accurate SPF records.

Key opinions

  • Envelope From: SPF records apply to the 'envelope from' address, which may differ from the sender address.
  • Identify Sources: Document all services sending email on behalf of your domain.
  • Return-Path: Check the 'Return-Path:' line in email headers to determine the domain for the SPF record.
  • Include Mechanism: Use the 'include:' mechanism to incorporate SPF policies of third-party senders.

Key considerations

  • Service Specifics: Different services may require specific SPF 'include' records (e.g., Google Workspace, custom bounce domains in Amazon SES/Help Scout).
  • DNS Lookups: Limit the number of DNS lookups to avoid exceeding the 10 DNS lookup limit.
  • Testing: Test the SPF record after creation.
  • Authentication Reports: Monitor authentication reports to validate and catch any misconfigurations.
  • Regular review: Regularly review and update the SPF record.

Expert view

Expert from Spamresource.com explains the critical steps for configuring SPF records when using multiple email senders. First, identify all authorized sending sources. Second, use the `include:` mechanism to incorporate the SPF policies of third-party senders. And third, limit the number of DNS lookups. Avoid exceeding the 10 DNS lookup limit to prevent SPF failures. Regularly review and update the SPF record to reflect changes in your sending infrastructure.

26 Jul 2021 - Spamresource.com

Expert view

Expert from Email Geeks explains that SPF records apply to the address in your envelope from address, NOT the address that shows up in the mail client.

14 Feb 2023 - Email Geeks

What the documentation says

4 technical articles

When setting up an SPF record for multiple email sending services, it's essential to include the appropriate SPF records for each service you use. For Google Workspace, include `v=spf1 include:_spf.google.com ~all`. For Amazon SES, include `include:amazonses.com` (or regional endpoints/custom MAIL FROM domain SPF). For Office 365, use `v=spf1 include:spf.protection.outlook.com -all`. SPF records use specific syntax, with 'include:' designating other domains' authorization policies and 'all' dictating how to handle unmatched addresses (using '-all' for hard fail, '~all' for soft fail). These SPF records should be added as TXT records to your domain's DNS settings.

Key findings

  • Google Workspace SPF: Use `v=spf1 include:_spf.google.com ~all` for Google Workspace.
  • Amazon SES SPF: Use `include:amazonses.com` (or regional endpoints/custom MAIL FROM domain SPF) for Amazon SES.
  • Office 365 SPF: Use `v=spf1 include:spf.protection.outlook.com -all` for Office 365.
  • SPF Syntax: 'include:' designates other domains' authorization policies.

Key considerations

  • TXT Record: Ensure SPF records are added as TXT records in your domain's DNS settings.
  • Regional Endpoints: Amazon SES may require specific regional endpoints.
  • MAIL FROM Domain: Amazon SES users who utilize a custom MAIL FROM domain will need to publish an SPF record for that domain.
  • All Mechanism: Understand the implications of using '-all' (hard fail) versus '~all' (soft fail) in the SPF record.

Technical article

Documentation from Amazon Web Services shares that if you're using Amazon SES, you should include Amazon's SES servers in your SPF record. Depending on the region, you may need to include specific regional endpoints. If you're using a custom MAIL FROM domain, ensure the SPF record is published for that domain. Otherwise, the standard Amazon SES include should suffice: `include:amazonses.com`.

26 May 2021 - Amazon Web Services

Technical article

Documentation from Microsoft says if you're sending email through Office 365, you need to include Office 365's SPF record. The recommended SPF record is `v=spf1 include:spf.protection.outlook.com -all`. Also ensure that this record is set up as a TXT record in your domains DNS settings.

16 Dec 2024 - Microsoft

Start improving your email deliverability today

Get a demo