Email authentication

Make sender proof.

SPF tells the world which servers may send mail as your domain. Build a correct record below, or paste one to read it back in plain English — including the part everyone gets wrong: ~all versus -all.

Who sends mail for this domain?

How strict? (the “all” mechanism)

Third-party senders

Anyone who sends as you belongs in the record.

SPF only vouches for the servers you name. The moment you let another service send mail from your address — a Mailchimp newsletter, a CRM sequence, a help desk, an invoicing or storefront tool — its servers are strangers to your record. Their mail fails SPF, and under a strict -all policy receivers reject it outright.

The fix is never a second record — a domain may publish exactly one. You add that service's own include: to the same line, alongside the senders already there.

Common senders — Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailchimp, Brevo, Postmark, Zoho — are already presets above. Tick every service that sends as your domain, not just your mailbox.

What the “all” really means

-all

Hardfail. Receivers reject mail from any server you didn't list. The strict, correct end-state once every sender is covered.

~all

Softfail. Unlisted senders are accepted but marked suspicious. A transition setting — not a destination.

?all

Neutral. No opinion, no protection. Spoofers sail through. Avoid.

+all

Authorizes the entire internet to send as you. Effectively turns SPF off. Never use it.

Prefer to be walked through it? The guided SPF builder asks a few plain questions and assembles the record for you. SPF is also one of three checks — pair it with DKIM and a DMARC policy so a passing result actually protects your domain. Folio sets all three up for you automatically.