Sender Policy Framework
Sender Policy Framework/ SPF is an Email validation system, to find out spoofed/ forged emails using a specific SPF record published for the domain with the details of hosts, that are permitted by the domain's administrators.
About SPF Records
Sender Policy Framework/ SPF Records is a type of DNS record published in the domain's DNS that identifies the email servers that are permitted to send emails using the particular domain name. The main purpose of SPF records is to help the recipient email server identify the spam emails, sent using your domain name by spoofing/ forging the From email addresses.
The purpose of an SPF record is to detect Email Backscatter thereby preventing spammers from sending messages with forged From addresses on your domain. The SPF protocol is one of the standard validations to fight against spam and also enable secure email communication. Additionally, it is also a part of DMARC specification.
Configure SPF Records for Zoho Mail
When you send an email using you@yourdomain.com from Zoho Mail, the recipient servers refer the SPF records to check if the email sent from Zoho Mail is genuine. Some email servers reject the emails if there is a mismatch or if there are no valid SPF records for your domain. Generally, you can publish the SPF records as TXT records in the DNS Providers (Domain Registrars/ DNS Managers).
The Valid SPF records that need to be published are provided below:
v=spf1 include:zohomail.com -all
In case you are using multiple Zoho services, you can use v=spf1 include:one.zoho.com -all to avoid any SPF lookup failure.
The usage of -all indicates that no other email server other than zohomail.com will be used to send emails using the specified domain. You can also publish the SPF record that uses ~all instead of -all. This represents soft-fail in case the domain uses other email servers to send emails using the same domain name.
There should be only a single SPF record for the domain. In this spf record, the zohomail.com is a hostname, which includes a huge set of IP Addresses that our service uses to send emails. In case you use any other third party service or internal email servers to send emails, refer here.
Steps to add SPF TXT record in domain managers:
- Login to your DNS Manager where your domain's name server is pointed.
- Select the My Account menu and choose Domains.
- Expand Domains and click the Manage DNS button for the domain you want to verify.
- The DNS Manager page will open with information about existing DNS records.
- Scroll down to the Records section and click the Add button to add a DNS record
- Select TXT from the Type drop-down menu.
- In the Host field, specify @.
- In the TXT Value field, enter v=spf1 include:zohomail.com ~all.
- Click Save.
In case you are using only Zoho Mail to send emails, remove all the other SPF record types from the DNS. Click 'Save Changes' again to save all the changes. Having multiple SPF records will interrupt the SPF check and hence the SPF validation may fail and the emails will end up as Spam in the recipient servers.
SPF Verification
You can check the SPF records for all the domains you have in the Organization from the Domains section under Email Configuration menu for the respective domain.
Steps to verify SPF Status for Domains:
- Log in to Zoho Mail account as Administrator or Super Administrator.
- In the Admin Console, select the Domains section from the left pane.
- All the domains in the organization will be listed.
- Select the domain for which you'd like to verify the SPF record.
- Go to Email Configuration, select SPF from the dropdown, and click Verify SPF Record.
- Click Verify across each domain to validate the SPF records for the domain.
Adding multiple SPF Entries in a Single Record
Other IP Address and Zoho Mail
If you send emails from your multiple services with IP4 address, IP6 Address and a host name the Syntax of SPF record is as explained below.
Example: If you send emails from your webhost, whose IP4 address is 192.168.20.25, from another automated server with IP6 range ip6:1080::8:800:68.0.3.1/96 and Zoho, the SPF record should be added like below:
v=spf1 ip4:192.168.20.25 ip6:1080::8:800:68.0.3.1/96 include:zohomail.com ~all
Incorrect Records | Correct Records |
|---|---|
v=spf1 ip4:192.168.20.25 ~all v=spf1 ip6:1080::8:800:68.0.3.1/96 ~all v=spf1 include:zohomail.com ~all | v=spf1 ip4:192.168.20.25 ip6:1080::8:800:68.0.3.1/96 include:zohomail.com ~all |
Other Host Names and Zoho Mail
Having multiple records with multiple records v=spf1 include:abc.com v=spf1 include:def.com is invalid as per the RFC specifications. In that case you need to add the SPF record in the format below:
v=spf1 include:abc.com include:def.com include:zohomail.com ~all.
Incorrect Records | Correct Records |
|---|---|
v=spf1 include:abc.com ~all v=spf1 include:def.com ~all v=spf1 include:zohomail.com ~all | v=spf1 include:abc.com include:def.com include:zohomail.com ~all |
Troubleshooting SPF Record Addition
Conflicting SPF Records
Multiple SPF records are invalid according to the Sender Policy Framework. Every domain should have a single SPF record, including all the servers that the domain uses to send emails.
When you add multiple TXT records of type SPF, it causes an interruption in the email delivery, and your emails may end up being classified as Spam.
What Is a Conflicting SPF Record?
A conflicting SPF record occurs when:
- More than one TXT record begins with v=spf1, or
- The SPF record contains outdated or incorrect information, or
- There is a combination of entries from multiple providers that are not consolidated properly.
According to SPF standards and RFC specifications, each domain must have only one SPF record.
Why It Matters
When multiple SPF records are present:
- Email delivery may fail.
- Messages may be marked as spam.
- SPF validation will fail, as mail servers are unable to determine which record to trust.
- Your domain reputation may be affected due to repeated authentication failures.
How to Resolve a Conflicting SPF Record
- Check for Multiple SPF Records
- Use the Zoho Toolkit or any SPF checker tool to verify your domain’s DNS settings.
- Ensure that only one TXT record starting with v=spf1 exists.
If multiple SPF records are found:- Identify which entries are required.
- Remove any outdated or unnecessary records from your DNS page.
- Wait for DNS propagation (this may take a few hours).
Consolidate Entries into One Record
If you use multiple email services (e.g., Zoho Mail, Mailgun, Google Workspace), combine them into a single SPF record as shown in the reference above.
- Verify Syntax and DNS Lookup Limits
- Start the record with v=spf1.
- Use valid mechanisms only (include:, ip4:, ip6:, a, mx, etc.).
- End the record with an enforcement rule such as -all, ~all, or ?all.
- Do not exceed 10 DNS lookups, as this will cause the SPF check to fail.
- Remove Deprecated or Unused Entries
If you're no longer using a particular email service:- Remove its include: entry from your SPF record.
- Keeping outdated references increases the risk of DNS lookup issues and failed authentication.
DNS Provider - Registrar conflict
When you register the domain with one provider, but point the Nameservers to another provider, then the TXT Record added in your Domain Registrar to configure SPF is not considered valid. You might have changed the DNS Provider for hosting your website or for your previous email provider configuration or based on your choice.
The TXT Records added in the provider where the Nameservers are pointed will only be effective and valid. Hence, do a NameServer Lookup for your domain, to check where your domain is hosted. You may also check with your Domain Registrar or the technical contact for your domain on where the name servers are pointed to, if you are not sure.
Longer TTL
TTL (Time To Live) is the time specified in your DNS for each change in your DNS to be effective. If you have a huge TTL value (24 hrs/ 48 hrs), then the TXT Record might not be provided during the verification process. It might take up to 12 - 24 hours for DNS changes to take effect, based on the TTL set. Please check the TTL value using the DNS checker tool and try verifying after a while.
Typos/ Spelling Mistakes
Ensure that the TXT Record value that you enter while configuring SPF is in accordance with the value specified in this help page.
Related Pages
Organization Spam Control | DMARC Policy | DKIM Configuration | Domain Keys