An SPF record tells receiving mail servers which servers are authorized to send email on behalf of your domain. Setting up a correct SPF record for your domain helps protect your emails from being rejected or filtered as spam by major mailbox providers. This article covers what an SPF record is, how SPF evaluation works, the mechanisms and qualifiers used in SPF syntax, and step-by-step instructions for adding or updating your SPF record to include Keap™ as an authorized sender.
Why SPF Matters for Your Email Deliverability
When you send email through your CRM, the message travels from your CRM's mail servers to your client's mailbox provider — Google, Microsoft, Yahoo, or others. Every major mailbox provider checks whether the server that sent the email is authorized to send on behalf of your domain. Without a correctly configured SPF record, that check can fail, and your emails may be rejected outright or routed to the spam folder before your client ever sees them.
SPF also protects your domain from being used by unauthorized senders — a practice known as spoofing — by explicitly listing which servers are allowed to send email using your domain name. For small businesses, this means your marketing campaigns, appointment confirmations, invoices, and follow-up emails have the best possible chance of reaching the inbox rather than being filtered before they are seen. DKIM remains the primary authentication requirement for sending through your CRM, but a correctly configured SPF record adds an additional layer of protection that strengthens your overall sender reputation.
What Is an SPF Record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists the IP addresses and servers authorized to send email on behalf of your domain. When a receiving mail server processes an incoming email, it checks the sender's domain DNS records for an SPF record and verifies whether the sending server's IP address appears on the authorized list. If the sending server is authorized, the SPF check passes. If it is not authorized, the check fails and the message may be rejected or marked as spam. For full technical specifications, see RFC 7208 — Sender Policy Framework (SPF) for Authorizing Use of Domains in Email.
How SPF Evaluation Works
When a receiving server checks your SPF record, it evaluates the record's mechanisms from left to right and returns one of the following outcomes:
None — No SPF record was found for the domain.
Neutral — No policy was applied. The domain owner has not made an assertion about the sending IP.
Pass — The sending IP is authorized by the SPF record.
Fail — The sending IP is explicitly not authorized by the SPF record.
Soft Fail — The sending IP is probably not authorized. Soft Fail is typically used during testing and does not cause immediate rejection.
Temp Error — A temporary DNS or lookup issue occurred. The receiving server may retry later.
Perm Error — The SPF record is invalid or cannot be interpreted. This is typically caused by having more than one SPF record published for the domain, exceeding the 10 DNS lookup limit, or a syntax error in the record.
If evaluation reaches the end of the SPF record with no mechanism match, the result defaults to Neutral. To avoid unintended Neutral results, SPF records should always end with ~all (Soft Fail for unknown senders) or -all (Hard Fail for unknown senders) to explicitly define the policy for IPs not listed in the record.
include:, a, and mx mechanism in your SPF record triggers a DNS lookup. If your SPF record causes more than 10 DNS lookups during evaluation, receiving servers will return a Perm Error and your SPF check will fail. If you use multiple email services, keep the number of include: statements in your SPF record as low as possible and verify your lookup count using an SPF analyzer tool such as Dmarcian's SPF record analyzer.SPF Qualifiers
SPF qualifiers are single-character prefixes that modify the result returned when a mechanism matches. If no qualifier is specified, the default result is Pass. The four qualifiers are:
+— Pass. The sending IP is authorized. This is the default if no qualifier is specified.-— Fail. The sending IP is not authorized. Mail should be rejected.~— Soft Fail. The sending IP is probably not authorized. Mail should be accepted but flagged.?— Neutral. No assertion is made about the sending IP.
SPF Mechanisms
SPF mechanisms define which IP addresses or servers are authorized to send email for your domain. Mechanisms are evaluated left to right. When a mechanism matches the sending IP, the evaluation stops and returns the qualifier's result. When a mechanism does not match, evaluation continues to the next mechanism. The following mechanisms are the most commonly used in SPF records.
ip4 mechanism
The ip4 mechanism defines specific IPv4 addresses or address ranges that are authorized to send email for your domain. Use ip4 when you know the specific IP address of a server that sends mail on your behalf.
ip4:192.168.0.1— Matches exactly this single IP address.ip4:192.168.0.1/16— Matches any IP address within the 192.168.x.x subnet.Example full record:
v=spf1 ip4:192.168.0.1/16 -all
ip6 mechanism
The ip6 mechanism defines specific IPv6 addresses or address ranges that are authorized to send email for your domain.
Example:
v=spf1 ip6:1080::8:800:200C:417A/96 -all
all mechanism
The all mechanism matches any IP address and is always placed at the end of an SPF record to define the default policy for sending IPs that do not match any earlier mechanism in the record.
~all— Soft Fail. Unknown senders are flagged but not rejected. Recommended for most configurations.-all— Hard Fail. Unknown senders are rejected. Use only when you are confident all authorized senders are listed in your record.Example:
v=spf1 mx -all
include mechanism
The include mechanism allows a third-party service to send email on your behalf by referencing that service's own SPF record. When a receiving server evaluates your SPF record and encounters an include statement, it performs an additional DNS lookup to check the referenced domain's SPF record. Adding Keap's™ include statement to your SPF record is required for Keap's™ mail servers to be authorized to send on behalf of your domain.
Required include statement for Keap™:
include:infusionmail.comExample full record:
v=spf1 include:infusionmail.com ~all
a mechanism
The a mechanism authorizes the IP address that a domain's A record resolves to. Use the a mechanism when a server identified by a domain name — rather than a specific IP address — should be authorized to send email for your domain.
a— Authorizes the IP that the current domain's A record resolves to.a:domain.com— Authorizes the IP that the specified domain's A record resolves to.An optional CIDR block such as
/24or/32can be appended to match a range of IPs.Example:
v=spf1 a -all
mx mechanism
The mx mechanism authorizes the IP addresses of a domain's MX (mail exchange) records. Use the mx mechanism when the server that receives your domain's inbound mail is also used to send outbound mail.
mx— Authorizes the IPs of the current domain's MX records.mx:domain.com— Authorizes the IPs of the specified domain's MX records.Optional CIDR blocks can be appended to match a range of IPs.
Example:
v=spf1 mx mx:deferrals.domain.com -all
How to Set Up Your SPF Record for Keap™
SPF is configured as a TXT record in your domain's DNS settings. You make this change through the control panel of the company where your domain is registered or hosted — not through your CRM. If you are unsure how to access your DNS settings, contact your domain host's support team for assistance.
If you do not already have an SPF record
Log in to your domain host's control panel and create a new TXT record for your domain with the following value:
v=spf1 mx include:infusionmail.com ~all
Set the record TTL to 1 hour, or leave the TTL at your host's default setting. Save the record.
If you already have an existing SPF record
Do not create a second SPF record. Adding a second SPF TXT record to your domain will cause a PermError and break email authentication entirely. Instead, edit your existing SPF record and add Keap's™ include statement — include:infusionmail.com — before the final all mechanism. The updated record should follow this format:
v=spf1 a mx include:yourprovider.com include:infusionmail.com ~all
Replace include:yourprovider.com and any existing IP addresses or mechanisms with the values already present in your current SPF record. Only add include:infusionmail.com — do not remove or replace any existing authorized senders.
Example SPF Records by Hosting Provider
The examples below show complete SPF records that include Keap's™ include:infusionmail.com statement alongside each hosting provider's own SPF values. Always verify the current SPF values recommended by your host before applying any changes, as hosting providers may update their SPF requirements over time. Click each provider name to contact their support team.
GoDaddyv=spf1 a mx ptr include:secureserver.net include:infusionmail.com ~all
Bluehostv=spf1 a mx ptr include:bluehost.com include:infusionmail.com ~all
HostGatorv=spf1 a mx include:websitewelcome.com include:infusionmail.com ~all
1&1 / IONOSv=spf1 include:1und1.com include:infusionmail.com ~all
DreamHostv=spf1 ip4:208.97.132.0/24 ip4:66.33.201.0/24 ip4:64.111.100.0/24 ip4:66.33.216.0/24 ip4:208.113.175.0/24 mx include:infusionmail.com ~all
LiquidWebv=spf1 a mx ip4:YOUR.SERVER.IP.ADDRESS include:infusionmail.com ~all
Replace YOUR.SERVER.IP.ADDRESS with the dedicated IP address of your LiquidWeb server. Contact LiquidWeb support if you are unsure of your server's IP address.
Media Templev=spf1 a mx ip4:YOUR.SERVER.IP.ADDRESS include:infusionmail.com -all
Replace YOUR.SERVER.IP.ADDRESS with the dedicated IP address of your Media Temple server. Contact Media Temple support if you are unsure of your server's IP address.
SiteGroundv=spf1 a mx ip4:37.60.224.72 include:infusionmail.com ~all
Hosts where DNS changes must be made by contacting the provider's support team directly:
Hostwinds — Contact Hostwinds support to request a DNS TXT record update
InMotion Hosting — Contact InMotion Hosting support to request a DNS TXT record update
Helpful Tools for DNS and Deliverability
Use the following free tools to verify your SPF record, check your domain's DNS health, and confirm your domain is not listed on any blocklists:
Frequently Asked Questions
What does this article cover?
This article covers what an SPF record is, how SPF evaluation works, the qualifiers and mechanisms used in SPF syntax, step-by-step instructions for adding or updating your SPF record to include Keap™ as an authorized sender, and example records for common hosting providers. This article does not cover DKIM setup, DMARC configuration, or general email deliverability troubleshooting. To set up DKIM, see Why Domain Authentication Is Required with Keap™. To learn about DMARC, see How to Set Up a DMARC Record for Your Domain.
Is SPF required to send email through my CRM?
SPF is not a hard requirement for sending through your CRM — DKIM is the primary domain authentication method required. However, configuring a correct SPF record is strongly recommended because it improves deliverability, protects your domain from spoofing, and is evaluated by most major mailbox providers as part of their spam filtering process. Always set up DKIM before configuring SPF.
What is an SPF PermError and what causes it?
An SPF PermError is a permanent error returned when a receiving server cannot interpret your SPF record. The three most common causes of a PermError are: publishing more than one SPF TXT record for the same domain, exceeding the 10 DNS lookup limit by including too many include: or mx mechanisms, and syntax errors in the SPF record itself. A PermError causes all SPF checks to fail and can result in widespread email delivery failures. Use the Dmarcian SPF record analyzer to check your record for errors.
My domain host is not in the examples list. What SPF record should I use?
If your hosting provider is not listed in the examples section, contact your host's support team and ask them for the SPF TXT record values currently recommended for your account. Once you have your host's values, add include:infusionmail.com before the final ~all or -all mechanism in the record. Your host's support team can assist you with adding or editing the TXT record in your DNS settings.
How long does it take for an SPF record change to take effect?
DNS changes — including SPF record additions and updates — can take anywhere from a few minutes to 48 hours to propagate fully across the internet, depending on the TTL setting of your DNS records and the caching behavior of receiving mail servers. A TTL of 1 hour means most servers will pick up the change within an hour. You can use MXToolbox's email health scanner to verify that your updated SPF record is visible and correctly formatted after publishing the change.
Can my CRM make DNS changes on my behalf?
No. DNS records are managed through your domain registrar or hosting provider — not through your CRM. Your CRM's support team can explain what value to add to your SPF record and answer questions about the include:infusionmail.com statement, but the DNS change itself must be made by you or your domain host directly in your DNS control panel.
Comments
0 comments