What is SPF? Complete Setup Guide for Email Authentication

If you've ever had a customer receive a phishing email pretending to be from your business, or noticed your legitimate emails landing in spam, there's a good chance your domain is missing proper email authentication. SPF — Sender Policy Framework — is the first and most fundamental layer of defence.

In this guide, we'll break down exactly what SPF is, why it matters for New Zealand businesses, and walk you through setting up a correct SPF record step by step.

What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol that lets you specify which mail servers are authorised to send email on behalf of your domain. It works by publishing a special TXT record in your domain's DNS that lists approved sending sources.

When a receiving mail server (like Gmail, Outlook, or Xtra) gets an email claiming to be from yourbusiness.co.nz, it checks your SPF record. If the sending server isn't on the approved list, the email can be rejected, quarantined, or marked as spam.

Why SPF matters

  • Prevents domain spoofing — stops scammers impersonating your brand.
  • Improves deliverability — major providers like Gmail and Yahoo now require authentication for bulk senders.
  • Foundation for DMARC — you can't implement DMARC effectively without SPF (or DKIM) first.
  • Protects your reputation — a spoofed domain damages customer trust and can land your real mail in spam.

How SPF Works

The process is straightforward:

  1. You publish a TXT record at your domain listing authorised senders.
  2. Someone sends an email from (or claiming to be from) your domain.
  3. The receiving server looks up your SPF record via DNS.
  4. It compares the sending IP address against your approved list.
  5. The email passes, fails, or is treated as neutral based on the result.

Anatomy of an SPF Record

An SPF record is a single TXT record starting with v=spf1. Here's a basic example for a business using Microsoft 365:

v=spf1 include:spf.protection.outlook.com -all

Let's break down the common mechanisms:

  • v=spf1 — the SPF version (always v1).
  • include: — authorises another domain's SPF record (e.g. your email provider).
  • a — authorises the domain's A record IP.
  • mx — authorises the domain's MX servers.
  • ip4: / ip6: — authorises a specific IP or range.
  • -all — hard fail: reject anything not listed.
  • ~all — soft fail: accept but mark as suspicious.
  • +all — allow anything (never use this — it defeats SPF entirely).

Step-by-Step: Setting Up SPF for Your Domain

Step 1: Identify every service that sends email from your domain

Make a complete list. For a typical NZ business this might include:

  • Your main email platform (Microsoft 365, Google Workspace)
  • Marketing tools (Mailchimp, Campaign Monitor, HubSpot)
  • Transactional email (SendGrid, Postmark, Mailgun)
  • CRM or invoicing systems (Xero, Zoho)
  • Helpdesk platforms (Zendesk, Freshdesk)
  • Your website's contact form or server

Missing a service here is the #1 cause of SPF problems.

Step 2: Get the SPF include values for each service

Each provider publishes its own SPF include. Common ones:

  • Microsoft 365: include:spf.protection.outlook.com
  • Google Workspace: include:_spf.google.com
  • Mailchimp: include:servers.mcsv.net
  • SendGrid: include:sendgrid.net
  • Xero: include:_spf.mtasv.net

Step 3: Build your SPF record

Combine everything into a single record. For example, a Kiwi business using Microsoft 365, Mailchimp, and Xero would use:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net include:_spf.mtasv.net -all

Important: You can only have one SPF record per domain. Multiple SPF records will cause authentication to fail outright.

Step 4: Publish the record in DNS

Log in to your DNS host (common NZ providers include Freeparking, 1st Domains, SiteHost, Cloudflare, or your registrar). Add a new TXT record:

  • Type: TXT
  • Host/Name: @ (or your root domain)
  • Value: your full SPF string
  • TTL: 3600 (1 hour) is fine

Step 5: Choose your enforcement level

Start with ~all (soft fail) while you verify everything works, then move to -all (hard fail) once you're confident every legitimate sender is included.

Step 6: Test your SPF record

After DNS propagates (usually 15 minutes to a few hours), verify it using a lookup tool or send a test email to a Gmail account and check the headers for spf=pass.

Common SPF Mistakes to Avoid

Exceeding the 10 DNS lookup limit

SPF allows a maximum of 10 DNS lookups per evaluation. Each include, a, mx, and redirect counts. Go over and your record fails with a permerror. Consolidate providers or use SPF flattening if you hit the limit.

Having multiple SPF records

If you add a second v=spf1 record, SPF breaks. Merge everything into one record.

Using +all

This tells receivers to accept mail from any server claiming to be your domain — a gift to spammers.

Forgetting subdomains

If you send from news.yourbusiness.co.nz, that subdomain needs its own SPF record or a wildcard.

SPF Alone Isn't Enough

SPF is powerful but has limitations — it breaks when emails are forwarded, and it only checks the envelope sender, not the visible "From" address. That's why you should pair SPF with DKIM (cryptographic signing) and DMARC (policy enforcement and reporting) for full protection.

Check Your SPF Record with xteam MailCheck

Not sure if your SPF record is set up correctly? Our free MailCheck tool instantly analyses your domain's SPF, DKIM, DMARC, and BIMI records and highlights any issues — including too many DNS lookups, syntax errors, and missing senders.

Run a free scan on your domain today and make sure your email is properly authenticated, secure, and landing in inboxes where it belongs.