Every time you add a new tool that sends email from your domain — a marketing platform, CRM, billing system, or support tool — your SPF record needs to be updated. If it isn't, that tool's emails may fail authentication and land in spam.
This guide covers exactly how to update your SPF record for the most common platforms, what the 10-lookup limit is and why it matters, and what to do if you're already over it.
Why SPF Needs to Be Updated When You Add a Sending Tool
SPF (Sender Policy Framework) is a DNS record that lists every server authorised to send email from your domain. When an email arrives claiming to be from your domain, receiving mail servers check your SPF record: is this sender on the authorised list?
If the tool sending the email isn't in your SPF record, the email fails SPF authentication. Depending on your DMARC policy, that failure may result in the email being quarantined or rejected.
This is a common cause of legitimate email going to spam — the tool is set up correctly, but SPF was never updated to include it.
How SPF Records Are Structured
An SPF record is a DNS TXT record at your root domain. It looks like this:
v=spf1 include:_spf.google.com include:servers.mcsv.net -all
Breaking it down:
v=spf1— identifies this as an SPF record (required, always first)include:statements — each one authorises a sending service by referencing their own SPF record-all— everything not listed fails SPF (hard fail, recommended)~all— everything not listed soft-fails (less strict, common during testing)
To add a new sending tool, you add its include: statement to your existing SPF record.
Include Strings for Common Platforms
| Platform | SPF Include String |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Mailchimp | include:servers.mcsv.net |
| HubSpot | include:_spf.hubspot.com |
| Salesforce | include:_spf.salesforce.com |
| SendGrid | include:sendgrid.net |
| Klaviyo | include:_spf.klaviyo.com |
| Postmark | include:spf.mtasv.net |
| Zendesk | include:mail.zendesk.com |
| Intercom | include:_spf.intercom.io |
Important: These include strings are correct as of early 2026, but providers occasionally update their SPF infrastructure. Always verify the current include string in the sending platform's official documentation or help centre before adding it.
Example: A Complete SPF Record with Multiple Senders
A business using Google Workspace, Mailchimp, and HubSpot would have:
v=spf1 include:_spf.google.com include:servers.mcsv.net include:_spf.hubspot.com -all
A business using Microsoft 365, Salesforce, and SendGrid:
v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:sendgrid.net -all
Only one SPF TXT record is allowed per domain. If you have multiple, both become invalid. If a record already exists, edit it — don't create a second one.
The SPF 10-Lookup Limit: Why It Matters
SPF has a hard limit: a maximum of 10 DNS lookups per SPF evaluation. Each include: statement typically triggers 1–3 lookups (the include itself resolves to more records, which may chain to others).
When an SPF record exceeds 10 lookups, the entire record becomes invalid — SPF returns a PermError, and receiving servers treat your email as if it failed SPF authentication.
This is a real problem for businesses that use several email tools. Seven or eight include: statements can push you over the limit without realising it.
How to Check Your Current Lookup Count
A free SPF checker at EmailAudit.io shows your current SPF record, counts the DNS lookups, flags any syntax errors, and tells you if you're over the limit. No account required.
What to Do If You're Over the 10-Lookup Limit
Option 1: Remove Senders You No Longer Use
The simplest fix. If you stopped using a platform 18 months ago but its include: is still in your SPF record, remove it. Audit every include statement against your actual active sending tools.
Option 2: SPF Flattening
Flattening replaces include: statements with the raw IP address ranges they resolve to. Instead of:
include:servers.mcsv.net
You'd use the actual IP ranges Mailchimp publishes, for example:
ip4:198.2.128.0/18 ip4:205.201.128.0/20
The downside: IP ranges change when providers update their infrastructure. A flattened record requires ongoing maintenance — if a provider changes their IPs and you don't update your record, your emails start failing.
Option 3: SPF Macro Services
Some SPF management tools use macros to reduce lookups automatically. These are more complex to set up but eliminate the ongoing maintenance burden of flattening. Suitable for businesses with many sending tools.
How to Update Your SPF Record
- Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, or wherever your domain's DNS lives)
- Find the existing TXT record at your root domain that starts with
v=spf1 - Edit it — add the new
include:statement before the-allor~allending - Save and wait for DNS propagation (up to 48 hours, usually faster)
- Verify using a free SPF checker — confirm the new sender appears in the record and the lookup count is still under 10
After Updating SPF: Verify Authentication End-to-End
Updating your SPF record is step one. Confirm the tool is actually passing authentication by:
- Sending a test email from the platform to a Gmail address
- Viewing the original message headers in Gmail (three-dot menu → Show original)
- Looking for
spf=passin the Authentication-Results header
If it shows spf=fail, double-check that the include string is correct and that DNS propagation has completed.
For a full view of how SPF fits into your overall authentication setup, see SPF, DKIM, and DMARC explained. For platform-specific setup steps, see the Microsoft 365 authentication guide or the Google Workspace DMARC setup guide.
If emails are still going to spam after fixing SPF, see the email spam diagnosis guide for a systematic troubleshooting approach.
Run a free SPF Check — see your current record, lookup count, and any errors at EmailAudit.io
No account required. Results in seconds.