SPF (Sender Policy Framework) is an essential email authentication method that prevents your messages from being marked as spam. In this article, we explain what SPF is, why it is important, and how to set it up correctly.

What is SPF?

SPF is a DNS record that indicates which mail servers are allowed to send email on behalf of your domain. When a receiving mail server gets an email, it checks the SPF record to verify that the sending server is authorized.

Why is SPF important?

• Prevents spam marking of your legitimate emails
• Protects against spoofing - others cannot easily impersonate you
• Improves deliverability - your emails arrive better
• Required by major providers - Gmail, Outlook, and others check SPF

Check your current SPF record

Via MXToolbox

1. Go to mxtoolbox.com/spf.aspx
2. Enter your domain (e.g., yourdomain.nl)
3. Click on "SPF Record Lookup"
4. You will see your current SPF record and any issues

Via terminal

dig TXT yourdomain.nl +short | grep spf

nslookup -type=txt yourdomain.nl

Create or modify SPF record

Step 1: Identify your mail servers

Determine which servers send email on behalf of your domain:

• Your hosting mail server (Theory7)
• External services (Mailchimp, SendGrid, Google Workspace, etc.)
• Own applications that send email

Step 2: Build your SPF record

An SPF record always starts with `v=spf1` and ends with an action (`-all`, `~all`, etc.).

Basic SPF for Theory7 hosting:
v=spf1 include:_spf.theory7.net ~all

With additional services:
v=spf1 include:_spf.theory7.net include:_spf.google.com include:servers.mcsv.net ~all

SPF mechanisms explained

Mechanism	Meaning
include:domain	Add the SPF of that domain
a	The A-record IPs of your domain may send mail
mx	The MX-record servers may send mail
ip4:123.45.67.89	This specific IPv4 address may send mail
ip6:2001:db8::1	This specific IPv6 address may send mail

SPF qualifiers (actions)

Qualifier	Meaning	Recommended
-all	Hard fail - reject everything that does not match	For experienced users
~all	Soft fail - mark as suspicious	Recommended start
?all	Neutral - no action	Not recommended
+all	Allow everything	Never use!

Step 3: Add SPF record in DirectAdmin

1. Log in to DirectAdmin
2. Go to DNS Management or DNS Beheer
3. Look for existing TXT records with "spf"
4. If there is already an SPF record: Edit this record
5. If there is no SPF record: Add a new TXT record

Fill in the fields:

• Name/Host: Leave empty or fill in `@` (for the main domain)
• Type: TXT
• Value: Your SPF record (e.g., v=spf1 include:_spf.theory7.net ~all)
• TTL: 3600 (1 hour) or default

6. Save and wait 1-24 hours for DNS propagation

Troubleshooting common SPF errors

"SPF record not found"

Cause: No SPF record is configured.

Solution: Add an SPF record as described above.

"Too many DNS lookups"

Cause: SPF allows a maximum of 10 DNS lookups. Each include: counts as a lookup.

Solution:

• Combine where possible
• Replace include: with direct IPs where possible
• Use an SPF flattening service

Example problem:
v=spf1 include:a.com include:b.com include:c.com include:d.com ... (more than 10)

"Multiple SPF records"

Cause: You have more than one SPF record. This is not allowed.

Solution: Combine all SPF rules into one record.

Error:
v=spf1 include:_spf.google.com ~all
v=spf1 include:_spf.theory7.net ~all

Correct:
v=spf1 include:_spf.google.com include:_spf.theory7.net ~all

"SPF PermError"

Cause: Syntax error in your SPF record.

Solution: Check for typos, missing spaces, or incorrect order.

SPF for popular services

Google Workspace / Gmail

include:_spf.google.com

Microsoft 365

include:spf.protection.outlook.com

Mailchimp

include:servers.mcsv.net

SendGrid

include:sendgrid.net

Mailgun

include:mailgun.org

Complete example

If you use Theory7 hosting + Google Workspace + Mailchimp:
v=spf1 include:_spf.theory7.net include:_spf.google.com include:servers.mcsv.net ~all

Test SPF

After setting up

1. Wait for DNS propagation (1-24 hours)
2. Test with MXToolbox: mxtoolbox.com/spf.aspx
3. Send a test email to a Gmail address
4. Check the headers - look for "spf=pass"

Check headers in Gmail

1. Open the received test email in Gmail
2. Click on the three dots on the right > "Show original"
3. Look for the line with "SPF"
4. You want to see: spf=pass

SPF and DKIM/DMARC

SPF works best in combination with:

• DKIM - Digital signature for your emails
• DMARC - Policy that combines SPF and DKIM

Together they form the gold standard for email authentication.

Related articles

• Setting up email in Mozilla Thunderbird
• Email blacklist check: Check if your IP is blocked and how to resolve it
• Managing email quota: Free up space and optimize mailbox
• More information about email services at Theory7

Need help?

We are here for you! Are you facing any issues or do you have questions? Our support team is happy to assist you personally. Send us a message via the ticket system - we usually respond within a few hours and are happy to help you.