Every SPF record example you find online is either oversimplified or bloated with edge cases you'll never hit. Here's what you actually need: production-ready templates for the three infrastructure setups that cover 95% of domains. One TXT record, starting with v=spf1, ending with -all. Get it wrong and receivers like Google and Microsoft reject your mail with cryptic SMTP errors like 550 5.7.26.
Below are the spf record example templates. Pick your spf record example scenario, paste the record, and move on to problems that actually require your attention.
SPF Record Example Templates for Every Sending Setup
A good spf record example should match your actual infrastructure—not some hypothetical setup with six SaaS tools. The three scenarios below cover single-sender domains, hybrid setups, and complex multi-sender stacks. Each template is ready to publish as a DNS TXT record on your root domain.
Scenario 1: Single Sender (One Provider Handles Everything)
You send all email through one platform. This is the cleanest setup and the one you should aim for.
TrekMail (Starter, Pro, or Agency plan):
v=spf1 include:spf.trekmail.net -allGoogle Workspace:
v=spf1 include:_spf.google.com -allMicrosoft 365:
v=spf1 include:spf.protection.outlook.com -allOne include, one -all. That's it. You're using 1 DNS lookup out of your allowed 10.
Scenario 2: Hybrid Sender (Inbox + Transactional Service)
You use a primary inbox provider plus a separate transactional or marketing service. This is common with TrekMail's Nano plan (which uses BYO SMTP) or any setup where you bolt on a tool like Amazon SES or Mailchimp.
TrekMail Free + Amazon SES:
v=spf1 include:amazonses.com -allGoogle Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:servers.mcsv.net -allTwo includes. Two lookups (plus whatever nested lookups those providers trigger). Still well within limits.
Scenario 3: Multi-Sender Stack (High Risk)
This spf record example covers corporate mail, CRM, helpdesk, and HR platform—all authorized on one domain. This is where things break.
v=spf1 include:spf.trekmail.net include:hubspot.com include:mail.zendesk.com include:spf.bamboohr.com -allFour includes on paper. But each include can contain nested lookups. HubSpot alone can chain 3-4 additional lookups. If the total chain exceeds 10, receivers return PermError and treat your mail as unauthenticated. If your stack looks like this, keep reading—the lookup limit section below is mandatory.
How SPF Syntax Works (The Parts That Matter)
SPF is a DNS-based whitelist defined in RFC 7208. It tells receiving servers which IP addresses are allowed to send mail for your domain. Here's every component you'll encounter in a real spf record example:
| Component | Example | What It Does |
|---|---|---|
| Version | v=spf1 | Required. Must be the first characters in the record. |
| Include | include:spf.trekmail.net | Authorizes all IPs listed in another domain's SPF record. |
| IP Mechanism | ip4:192.0.2.1 | Directly authorizes a static IP. Costs zero DNS lookups. |
| HardFail | -all | Reject any IP not explicitly listed. Use this. |
| SoftFail | ~all | Marks unlisted IPs as suspicious. Only for transitional testing. |
For the full setup walkthrough—including validation tools and flattening risks—see our SPF record setup guide.
The 10-Lookup Limit: Where Most SPF Records Break
RFC 7208 caps DNS lookups at 10 per SPF evaluation. This exists to prevent denial-of-service attacks, but it's the wall that every growing business slams into.
These mechanisms cost 1 lookup each: include, a, mx, redirect, exists, ptr (deprecated—don't use it).
These are free: ip4, ip6, all.
The catch: lookups are recursive. When you add include:bluehost.com, that's 1 lookup. But if Bluehost's own SPF record contains include:spf.protection.outlook.com, that's a nested lookup that counts against your limit. Chain 3-4 providers with nested includes and you're already past 10.
The Void Lookup Limit (Often Missed)
RFC 7208 §11.1 adds a secondary limit: a maximum of 2 DNS lookups that return no results (NXDOMAIN or empty). Typo include:spf.trekmaill.net (extra 'l')? That's 1 void lookup. Two typos and your entire record fails.
How to Fix the Lookup Limit Without Flattening
Before resorting to SPF record flattening, consider cleaner alternatives. Record flattening (resolving includes to raw IPs) is fragile—IPs change without notice and your flattened record goes stale. Here are two approaches that actually hold up.
Use Subdomains to Segment Senders
Don't cram every tool onto your root domain. Each subdomain gets its own fresh budget of 10 lookups.
- Corporate mail:
@company.com— just your primary provider (TrekMail, Google, etc.) - Marketing:
@news.company.com— Mailchimp, HubSpot - Support:
@support.company.com— Zendesk, Freshdesk
This is the only strategy that scales. If you manage multiple domains or client accounts, subdomain segmentation keeps each SPF record lean and auditable. It also isolates domain reputation so a marketing campaign gone wrong doesn't tank your transactional delivery.
Replace DNS Lookups with IP Mechanisms
If you have a static mail server, hardcode the IP instead of using an a mechanism.
Costs 1 lookup:
v=spf1 a:mail.company.com -allCosts 0 lookups:
v=spf1 ip4:192.0.2.55 -allEvery ip4 or ip6 you substitute frees up a lookup for the SaaS tools that require include.
Critical SPF Errors That Kill Deliverability
Error 1: Two SPF Records on the Same Domain
This is the single most common spf record example mistake. You cannot publish two TXT records starting with v=spf1 on the same domain. Both will fail with PermError.
Wrong:
TXT: v=spf1 include:_spf.google.com -all
TXT: v=spf1 include:spf.trekmail.net -allRight:
TXT: v=spf1 include:_spf.google.com include:spf.trekmail.net -allMerge them. One record. Always. For a deeper explanation of why this happens and a complete spf record example walkthrough, see SPF record for email. Our SPF record setup guide covers the full configuration process from scratch.
Error 2: Using +all
Never use +all. It means pass everything—you're telling every mail server on Earth that anyone can send as your domain. Always use -all (HardFail).
Error 3: Relying on SPF Alone for Forwarded Mail
SPF checks the sending IP against the envelope sender's domain. When mail gets forwarded, the IP changes but the envelope sender doesn't. Result: SPF fails.
This is why DKIM exists—it signs the message content, surviving forwards intact. If you depend on mailing lists or email forwarding, SPF alone won't save you. You need DKIM, and ideally a DMARC policy that accepts either. Sender Rewriting Scheme (SRS) is the other piece of the forwarding puzzle—it rewrites the envelope sender so SPF passes at the next hop.
How TrekMail Simplifies SPF Management
Managing DNS records for one domain is tedious. Managing them across 50 or 100 client domains is where mistakes compound.
TrekMail's approach depends on your plan:
- Free ($0/mo, no card required): BYO SMTP. You include your own provider's SPF record. Full control, zero cost.
- Starter ($3.50/mo) and Pro ($10/mo): Managed SMTP. Add
include:spf.trekmail.netand we handle the underlying IP infrastructure. When we rotate servers, your DNS stays untouched. - Agency (.25/mo): Same managed SMTP, but built for multi-domain management. Apply a standardized SPF template across all client domains. Our footprint stays minimal—one include—leaving plenty of lookup budget for your clients' other tools.
All paid plans include a 14-day free trial (card required). The built-in SPF/DKIM/DMARC wizard walks you through DNS configuration step by step, flagging errors before they reach production.
Your SPF Checklist
Every spf record example in this guide follows the same principles. A good spf record example isn't complicated once you stop overcomplicating it. Here's the audit sequence:
- Count your lookups. Run
dig TXT yourdomain.comor use an online SPF validator. If you're over 10, you're already failing. - Merge duplicate records. One domain, one
v=spf1record. Period. - Segment heavy senders. Move marketing and support tools to subdomains.
- Swap
amechanisms forip4where you have static servers. - End with
-all. No exceptions.
If you'd rather skip the DNS editing entirely, TrekMail's free plan gives you a working email stack with zero upfront cost. Paid plans handle SPF infrastructure for you.
