SPF Records Explained

Sender Policy Framework (SPF) is an open standard aimed at preventing sender address forgery. This article describes how SPF is configured for use with SendGrid.

SPF and Whitelabel

As part of the whitelabel process you must create a subdomain (such as email.yourdomain.com) which is used for click and open tracking as well as in the Return-Path email header. SPF uses the domain value in the Return-Path header for the DNS lookup to determine the permitted senders for the domain. 

If you have an SPF record set for your subdomain (i.e. email.yourdomain.com), you must add a unique alphanumeric string before the all mechanism of this record in order to authenticate mailings through your SendGrid account. If you do not have an SPF record for your domain you must create a TXT record with the value provided to you during the whitelabel creation process. Each SendGrid account gets a unique SPF TXT record to authenticate their outbound mailings. An example of such a record is:

v=spf1 include:u826348.wl.sendgrid.net -all

If you have disabled automatic security in your whitelabel, you are not required to create an SPF record. 

In this example we have a unique SPF record for the authorization of outbound mail for an account. A "-" inclusion versus a "~" inclusion indicates that this SPF record is the only record used to authenticate mail for your domain. Make sure to include any other authorized sender into this SPF record if you need to authenticate mailings from other sources.

Do not create more than one SPF1 record for a given domain. In this case you will want to merge the additional SPF records into one SPF record.

You also cannot have more than 10 DNS lookups in your SPF record.


Already have an SPF record for your domain? 

No problem. You simply need to add your Sendgrid account's unique SPF inclusion into your existing record. 

For example, say your record looks like this: 

v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com -all

You would just need to add our lookup at the end of the string, before the *all mechanism, like so:

v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com include:u826348.wl.sendgrid.net -all


Don't want to include another hostname lookup? 

If you would rather not include Sendgrid's SPF hostname lookup in your record, or perhaps you just have too many already, you can also choose to give permission to a specific IP address to send mail for your domain. This is accomplished using the ip4 mechanism.

If you have a Silver or higher level package, you can choose to specify your dedicated IP address as a lookup, meaning that only mail coming from that particular IP address will be considered a permitted sender within Sendgrid for that domain. An example of such an include looks like this: 

v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com ip4: -all

If you wish to add multiple ip4 lookups(if you have an account that sends from multiple dedicated IPs, for example), simply add them into your record separated by spaces. Unlike with include:hostname lookups, a SPF1 record can have any number of ip4 includes.


For more information on SPF best practices and syntax, check out www.openspf.org

Powered by Zendesk