What Is an SPF Record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the IP addresses or servers authorized to send email on behalf of your domain. When an email is received, the receiving mail server checks the domain’s SPF record to verify whether the sending server is allowed to send mail for that domain.

SPF helps reduce spoofing and improves email deliverability by confirming that messages come from trusted sources.

Only one SPF record can exist per domain. If multiple SPF TXT records are published, receiving servers will return an SPF PermError, causing mail to fail authentication. Syntax errors can also trigger a PermError and result in widespread delivery failures.

For full technical specifications, see RFC 7208.

Why SPF Matters

Most major mailbox providers (Microsoft, Google, Yahoo, and others) check SPF validation when processing incoming email. Without a valid SPF record, messages may be rejected or land in spam.

SPF is technically optional when sending through Keap, but a properly configured SPF record can enhance deliverability, especially when used with DKIM, which remains Keap’s primary authentication method.
Always set up DKIM first before configuring SPF.

Tip: If you're unsure about DNS updates, contact your domain host the company where you registered your domain or host your website.

How SPF Evaluation Works

When a receiving server checks your SPF record, it evaluates the record’s mechanisms and returns one of the following outcomes:

• None - No SPF record found.
• Neutral - No policy applied.
• Pass - Sending IP is authorized.
• Fail - Sending IP is not authorized.
• Soft fail - IP is probably not authorized (typically used for testing).
• Temp error - Temporary DNS or lookup issue.
• Perm error - SPF record is invalid or cannot be interpreted.

If evaluation reaches the end of the record with no match, SPF defaults to Neutral.
For this reason, SPF records should end with ~all or -all to explicitly define a policy.

SPF Qualifiers

Qualifiers modify the result of a mechanism:

• +   Pass

• -    Fail

• ~   Soft Fail

• ?   Neutral

If no qualifier is provided, the default is pass (+).

SPF Mechanisms

SPF mechanisms are evaluated left to right. Each mechanism may result in:

• Match → Return the qualifier’s result and stop.
• No Match → Continue to next mechanism.
• Exception → Immediately return the exception result.

There are two main categories:

Basic Mechanisms

• all
• include

Designated Sender Mechanisms

• a
• mx
• ip4
• ip6

Below are their behaviors:

ip4 - Mechanism

Defines allowed IPv4 addresses or ranges.

Examples:

• ip4:192.168.0.1 - Matches exactly this IP.

• ip4:192.168.0.1/16 - Matches any IP within the 192.168.x.x subnet.

• v=spf1 ip4:192.168.0.1/16 -all

ip6 - Mechanism

Defines allowed IPv6 addresses or ranges.

Example:

• v=spf1 ip6:1080::8:800:200C:417A/96 -all
   

all - Mechanism

Matches any IP. Typically placed at the end to define a default action:

• ~all → Soft fail unknown senders
• -all → Hard fail unknown senders

Example:

• v=spf1 mx -all
   

include - Mechanism

Allows third-party services to send on your behalf by referencing their SPF records.

Example (required for Keap):

• v=spf1 include:infusionmail.com ~all
   

a - Mechanism

Authorizes the IP address a domain resolves to.

Formats:

• a - Use current domain’s A record(s)
• a:domain.com - Use another domain’s A record(s)
• Optional CIDR: /24, /32, etc.

Example:

• v=spf1 a -all

mx - Mechanism

Authorizes the IPs of a domain’s MX records.

Formats:

• mx
• mx:<domain>
• Optional CIDR blocks

Example:
v=spf1 mx mx:deferrals.domain.com -all
 

How to Set Up Your SPF Record

SPF is created as a TXT record in your DNS.

If you do NOT already have an SPF record

Use this:
v=spf1 mx include:infusionmail.com ~all
 

If you DO have an existing SPF record

Add Keap’s include statement:
v=spf1 a mx ptr include:yourprovider.com include:infusionmail.com ~all

Replace yourprovider.com and any IP addresses with what already exists in your DNS.

Important

• Only one SPF record may exist per domain.
• Combine mechanisms into one TXT record.
• Recommended TTL: 1 hour, or leave default.

If you are unsure, contact your hosting provider they are the experts on their own DNS defaults.

Example SPF Records by Hosting Provider

(Always verify with your host before applying changes.)

GoDaddy

v=spf1 a mx ptr include:secureserver.net include:infusionmail.com ~all

Bluehost

v=spf1 a mx ptr include:bluehost.com include:infusionmail.com ~all

HostGator

v=spf1 a mx include:websitewelcome.com include:infusionmail.com ~all

1&1 / IONOS

v=spf1 include:1und1.com include:infusionmail.com ~all

DreamHost

v=spf1 ip4:208.97.132.0/24 ip4:66.33.201.0/24 ip4:64.111.100.0/24 \
ip4:66.33.216.0/24 ip4:208.113.175.0/24 mx include:infusionmail.com ~all

LiquidWeb

v=spf1 a mx ip4:XXX.XXX.XXX.XXX include:infusionmail.com ~all

MediaTemple

v=spf1 a mx ip4:XXX.XXX.XXX.XXX include:infusionmail.com -all

SiteGround

v=spf1 a mx ip4:37.60.224.72 include:infusionmail.com ~all

Hosts where calling support is required:

• Hostwinds
• InMotion Hosting

Helpful Tools for DNS & Deliverability

• HetrixTools – Domain blocklist check
• MXToolbox – DNS and email health scanner
• Dmarcian – SPF record analyzer

Need Help?

Keap support can explain what should be added to your SPF record, but DNS access and updates must be made by you or your domain host. If you need assistance, contact your hosting provider’s support team they will have the most accurate information for your setup.