Build an SPF TXT record for your domain. Add authorized senders and copy the record into your DNS.

IP Addresses (ip4 / ip6)

IPv4 or IPv6 addresses authorized to send email for your domain.

Include Domains

Third-party senders (e.g. _spf.google.com, spf.protection.outlook.com).

Mechanisms

Additional mechanisms to authorize senders.

mx — Authorize domain's MX servers a — Authorize domain's A record

All Qualifier

What to do with senders not listed above.

SPF Mechanism Reference

v=spf1: Required. Identifies the record as SPF version 1.
ip4: / ip6:: Authorize specific IPv4 or IPv6 addresses or CIDR ranges to send email.
include:: Delegate authorization to another domain's SPF record. Each include counts as one DNS lookup (max 10 total).
mx: Authorize the IP addresses of your domain's MX (mail exchange) servers. Counts as one lookup.
a: Authorize the IP address(es) in your domain's A record. Counts as one lookup.
-all: Hard fail. Reject any sender not listed. Recommended for most domains.
~all: Soft fail. Accept but mark as suspicious. Use during initial rollout.
?all: Neutral. No opinion on unlisted senders. Provides no real protection.

Important Limits

10 DNS Lookups: SPF allows a maximum of 10 DNS-querying mechanisms (include, mx, a, exists, redirect). Exceeding this causes a permanent error (permerror) and SPF will fail.
255 Characters: A single DNS TXT record string is limited to 255 characters. Longer records must be split into multiple strings, but many providers handle this automatically. Keeping your record concise avoids issues.