Your spf record setup is the first thing a receiving mail server checks. Get it wrong and your email hits a 550 5.7.26 SMTP error — outright rejection, not the spam folder. Since February 2024, Google and Yahoo enforce authentication requirements on every sending domain. No exceptions, no grace period.
The failure modes are specific: duplicate records, exceeding the 10-lookup limit, the wrong end qualifier. Any one of them silently breaks delivery for days before you notice. And the bounce messages aren't always clear about why.
This guide covers the complete spf record setup — syntax, provider-specific configurations for TrekMail (Managed and BYO), DNS publishing, and CLI validation commands. If you haven't configured your domain's email yet, start with setting up email on your domain first, then return here for the authentication layer.
What SPF Does
SPF (Sender Policy Framework) is a DNS TXT record that publishes a whitelist of IP addresses authorized to send email from your domain. When a receiving server gets your message, it checks your DNS against the sending IP. If there's no match, authentication fails. The correct spf record setup tells receivers exactly which servers can speak on your behalf — anyone else gets rejected. Defined in RFC 7208, SPF checks the MAIL FROM (envelope sender) identity, not the From header your recipient sees.
Without SPF, anyone can forge your domain in the envelope sender. Receivers have no way to tell it's not you. That's why it's a whitelist, not a suggestion.
The One-Record Rule
You can only publish one SPF record per domain. Two TXT records starting with v=spf1 causes a PermError — receivers reject all mail from your domain. Not some of it. All of it. This is the most common mistake in any spf record setup, and it happens most often when switching providers or adding a marketing tool without removing the old record first.
| Wrong — Two Separate Records | Right — One Merged Record |
|---|---|
v=spf1 include:spf.trekmail.net -allv=spf1 include:_spf.google.com -all |
v=spf1 include:spf.trekmail.net include:_spf.google.com -all |
Delete any existing SPF record before publishing a new one. If you're migrating between providers, this step gets skipped constantly and causes hard-to-diagnose failures.
Step 1: Inventory Every Service That Sends From Your Domain
Before touching DNS, list every service that sends email as @yourdomain.com. Miss one and those emails fail authentication after you publish a hard-fail -all record. This audit takes five minutes and prevents hours of debugging. Your spf record setup can only protect senders you've explicitly authorized — gaps mean bounces.
Common senders to include:
- Corporate email: TrekMail, Google Workspace, Microsoft 365
- Transactional: Amazon SES, SendGrid, Mailgun, Postmark
- Marketing: Mailchimp, HubSpot, Klaviyo, Brevo
- SaaS tools: Zendesk, Freshdesk, Shopify, Intercom
Some services use their own return-path domain (like bounce.mailchimp.com) and technically don't need to be in your SPF record. But many also send via your domain for DMARC alignment. Check the vendor's documentation before leaving them out.
Step 2: Build Your SPF Record
An SPF record is a single DNS TXT string. Every spf record setup uses this same structure — the mechanisms change, the format doesn't. Here's what each component does:
| Component | Example | What It Does |
|---|---|---|
| Version | v=spf1 | Required. Every SPF record starts here. |
| include | include:domain.com | Authorizes a provider's IP list via their DNS. Counts toward the 10-lookup limit. |
| ip4 | ip4:203.0.113.0/24 | Authorizes a specific IPv4 address or CIDR block directly. No DNS lookup needed. |
| ip6 | ip6:2001:db8::/32 | Same for IPv6. |
| -all | -all | Hard fail. Reject everything not listed. Use this in production. |
| ~all | ~all | Soft fail. Mark as suspicious but deliver. Use only during initial transition. |
Step 3: Provider-Specific SPF Record Setup
Pick the scenario that matches your infrastructure. Each record below is complete and ready to publish. If you use multiple providers, merge the include mechanisms into one record — don't create separate records for each.
Scenario A: TrekMail Managed SMTP (Starter and Agency Plans)
On a paid TrekMail plan with Managed SMTP, this is your entire spf record setup:
v=spf1 include:spf.trekmail.net -allWe handle the delivery IPs. One include, done.
Scenario B: TrekMail BYO SMTP (Free Plan or Custom Setup)
If you use TrekMail for your inbox but connect your own SMTP provider for outbound delivery, authorize that provider directly. TrekMail relays the message, but the final delivery hop comes from your SMTP provider's IPs.
# Amazon SES
v=spf1 include:amazonses.com -all
# SendGrid
v=spf1 include:sendgrid.net -allScenario C: Google Workspace
v=spf1 include:_spf.google.com -allScenario D: Microsoft 365
v=spf1 include:spf.protection.outlook.com -allScenario E: Hybrid (TrekMail + Marketing Platform)
Using TrekMail for team email and HubSpot for marketing campaigns? Merge them into one record. This is exactly what the one-record rule is for:
v=spf1 include:spf.trekmail.net include:456789.spf05.hubspotemail.net -allHubSpot's include string is unique to your portal — get it from HubSpot's DNS settings screen, not from a generic guide.
Step 4: Publish to DNS
Publishing your spf record setup requires adding one TXT record at your DNS provider. Log into Cloudflare, Namecheap, GoDaddy, Route 53, or wherever your domain's DNS lives.
- Type: TXT
- Host/Name:
@(or leave blank — depends on your provider) - Value: Your complete SPF string, e.g.
v=spf1 include:spf.trekmail.net -all - TTL: 3600 (1 hour)
If you already have an SPF record, delete it before adding the new one. If you mess up this step — if you add instead of replace — every email from your domain stops working. Double-check it.
Step 5: Validate Your SPF Record
Don't assume your spf record setup worked. Check it immediately with the command line. This bypasses cached results from web-based checkers and shows you exactly what receivers see right now.
# Mac, Linux, or Windows PowerShell
nslookup -q=txt yourdomain.com
# Linux/Mac alternative
dig txt yourdomain.com +shortYou're looking for three things:
- Exactly one line starting with
v=spf1 - All required
includemechanisms are present - Ends with
-allor~all
If you see two lines starting with v=spf1, you have a duplicate. Delete one immediately.
Troubleshooting Common SPF Errors
Most spf record setup failures trace back to three specific issues. Here's how to diagnose and fix each one without spending hours reading SMTP logs.
1. The 10-Lookup Limit (PermError)
SPF caps DNS lookups at 10 per authentication check. Each include mechanism triggers at least one lookup, and they're recursive — if your provider includes another service, each hop counts. Exceed 10 and receivers treat your record as invalid and may reject all mail.
Symptom: Validators return PermError or "too many DNS lookups."
Fix: Move high-volume senders (Mailchimp, Zendesk) to a subdomain like support.yourdomain.com. That subdomain gets its own fresh 10-lookup budget. Your primary domain's spf record setup stays lean.
2. Microsoft Consumer Inboxes (550 5.7.515)
Microsoft is aggressive with new domains and cold IPs. If you see 550 5.7.515, your SPF record is probably valid — the issue is IP reputation or missing DKIM. SPF alone doesn't get you into Hotmail and Outlook.com inboxes. You need the full authentication stack. See the security baseline for business email for DKIM and DMARC setup.
3. SoftFail (~all) vs. HardFail (-all)
| Qualifier | What It Tells Receivers | When to Use |
|---|---|---|
~all (SoftFail) | "Accept it, but flag it as suspicious." | First 2–4 weeks of a new setup while you're still auditing senders. |
-all (HardFail) | "Reject it." | Production. Always the goal once your senders are confirmed. |
Spammers actively target domains with ~all or ?all. Once your spf record setup is validated and all senders are accounted for, switch to -all.
SPF Record Setup With TrekMail
Managing DNS records and debugging SMTP errors is a distraction from actual work. TrekMail's SPF/DKIM/DMARC wizard walks you through the correct configuration for your plan — whether you're on Managed SMTP or BYO.
For agencies managing email across dozens of client domains, a consistent spf record setup matters. With TrekMail's multi-domain dashboard, you see authentication status across all domains at once instead of logging into individual DNS providers. For the multi-domain workflow, see multi-domain email hosting and how to create email with a custom domain.
Plans start at $3.50/mo (Starter, includes Managed SMTP). The Nano plan is always free — no credit card, no trial expiry, BYO SMTP. Paid plans include a 14-day free trial (credit card required). Try TrekMail free.
The Complete SPF Record Setup Checklist
Before you close this tab, run through these seven steps. A correct spf record setup takes under 15 minutes. The debugging that follows a broken one can take days.
- Listed every service sending from your domain
- Confirmed you have zero or one existing SPF record (not two)
- Built a single merged
v=spf1string covering all providers - Published it as a TXT record at
@with TTL 3600 - Deleted any old SPF record before publishing
- Verified with
dig txt yourdomain.com +short - Confirmed exactly one result starting with
v=spf1, ending with-all
Stop fighting DNS. Start sending with TrekMail.
