If someone can send email that looks like it came from your domain, they can phish your customers and staff using your name. An SPF record is the simplest fix. It tells the world which mail servers are allowed to send email for your domain, so the fakes get flagged. Here is how it works and how to set it up.
What SPF actually does
SPF (Sender Policy Framework) is a single TXT record in your domain's DNS. It lists the servers allowed to send mail as your domain. When a receiving server gets a message claiming to be from you, it checks your SPF record. If the sending server is not on the list, the message fails the check and is far more likely to be rejected or sent to junk.
Setting it up
- Log in to wherever your domain's DNS lives: your registrar, Cloudflare, the Google Workspace admin console, and so on.
- Add a TXT record for your domain with your SPF policy. A simple one for a Microsoft 365 mailbox looks like v=spf1 include:spf.protection.outlook.com -all. Swap in the right include for whatever sends your mail.
- List every legitimate sender: your mail provider, plus anything else that emails as you, like a CRM, a marketing tool, or your accounting app.
- Save it, then verify it with any free SPF checker to confirm it resolves.
The two mistakes people make
- Too many lookups. SPF allows only 10 DNS lookups. Pile on too many includes and the whole record quietly fails. Keep it lean.
- Forgetting a sender. Add a new tool that sends email as you and forget to update SPF, and its messages start failing. Update the record whenever you add a sender.
SPF is one of three
SPF on its own is good, not complete. Pair it with DKIM, which signs your mail so it cannot be tampered with, and DMARC, which tells receivers what to do when a message fails and reports who is sending as you. Together they are what actually stops domain spoofing.
Done right this is a 20-minute job, and done wrong it is a recurring headache. If you want your email locked down with SPF, DKIM, and DMARC set up properly, that is something I handle for clients.