Practical DNS instructions with copy paste SPF records for common providers.
SPF setup for cold email is one of the first things you need to get right before sending any outreach. SPF stands for Sender Policy Framework. It is a DNS record that tells receiving mail servers which servers are allowed to send email on behalf of your domain. Without a valid SPF record, your cold emails are far more likely to land in spam because the receiving server has no way to verify that your message actually came from an authorized source.
An SPF record is a single TXT record published in your domain's DNS. When a receiving server gets your email, it checks this record to see if the sending server's IP address is on the approved list. If the IP matches, the SPF check passes. If it does not, the check fails, and the email is more likely to be rejected or sent to spam.
This guide walks through the complete SPF record setup process with actual DNS examples you can copy and adapt for your own domain. Whether you send through Gmail, Outlook, Amazon SES, or another provider, the steps below will help you get your SPF record configured correctly.
Before you write your SPF record, make a list of every service that sends email using your domain. This includes your email provider (Gmail, Outlook, Zoho), any transactional email service (Amazon SES, SendGrid), your cold email tool, and any other platforms that send on your behalf such as helpdesk software or marketing automation tools. Missing even one service means emails sent from that service will fail SPF checks.
An SPF record is a single TXT record that starts with the version declaration and lists authorized senders. Here is an example for a domain that sends through Google Workspace:
v=spf1 include:_spf.google.com ~all
Here is what each part means. The v=spf1 declares this is an SPF version 1 record. The include:_spf.google.com authorizes all of Google's mail servers to send on behalf of your domain. The ~all is the policy for any server not listed, where the tilde means soft fail, which tells receiving servers to accept the email but treat it with suspicion.
If you also send through Amazon SES, your record would look like this:
v=spf1 include:_spf.google.com include:amazonses.com ~all
For Outlook and Microsoft 365 users, the include value is include:spf.protection.outlook.com. For Zoho, it is include:zoho.com. You can combine multiple include statements in a single record. Just keep them all in one TXT record rather than creating separate SPF records, because a domain should only have one SPF record.
Log into your domain registrar or DNS hosting provider. Navigate to the DNS management section for your domain. Create a new TXT record with the host set to @ (which represents your root domain) and paste your SPF record as the value. If your DNS provider asks for a TTL, 3600 seconds (one hour) is a reasonable default. Save the record and allow time for DNS propagation, which usually takes between a few minutes and 48 hours depending on your provider.
After adding the record, verify it is working correctly. Send a test email to a Gmail account and open the message. Click the three dots menu, then select "Show original." Look for the SPF line in the authentication results. It should show spf=pass. You can also use online tools that check your DNS records directly by entering your domain name. If the record is not found, double check that you created a TXT record (not an MX or CNAME) and that you used the correct host value.
The most frequent SPF mistake is creating multiple SPF records for the same domain. Your domain should have exactly one TXT record that starts with v=spf1. If you need to authorize additional services, add them as include statements within that single record. Multiple SPF records will cause a permerror, and both records will be ignored by receiving servers.
Another common issue is exceeding the DNS lookup limit. SPF allows a maximum of 10 DNS lookups per record. Each include statement counts as at least one lookup, and nested includes count too. If you exceed 10 lookups, the SPF check will return a permerror and fail for all emails. You can check your lookup count using an SPF record checker tool. If you are over the limit, consider replacing include statements with ip4 directives for services with stable IP addresses.
Using +all instead of ~all or -all is another mistake that essentially authorizes every server in the world to send email as your domain. Always end your SPF record with ~all (soft fail) or -all (hard fail). For cold email, ~all is the safer choice because hard fail can sometimes cause legitimate emails to be rejected during forwarding.
Finally, forgetting to update your SPF record when you add a new sending service is a subtle problem that shows up weeks later as deliverability drops. Any time you connect a new email provider or tool that sends on your behalf, update the SPF record to include it.
EmailQo runs inbox health checks before every send that include DNS record validation. If your SPF record is missing, misconfigured, or has too many lookups, the pre send check will flag the issue before your campaign goes out. This catches SPF problems at the point where they can still be fixed rather than discovering them through failed deliverability after your emails have already been sent.