How to Set Up an SPF Record on Cloudflare: A Step-by-Step Guide
Published in
How To
•
May 12, 2025
Let’s make something clear from the start:
If you're sending sales emails, setting up an SPF record is essential to get your emails read.
Without it, your emails will land in spam and never reach your prospects, let alone convert them.
Is Cloudflare your domain provider?
This guide will walk you through setting up your Cloudflare SPF record, step by step, so your emails have a better chance of landing where they belong: in your prospect’s inbox.
Understanding SPF
SPF is an abbreviation for Sender Policy Framework.
This email authentication protocol was developed to combat email spoofing (when an email pretends to come from a trusted source, like your domain).
An SPF record lets you decide what sending servers (or IPs) can send through your domain. Authentication will fail if an email comes from a server that’s not in the SPF record. Unauthenticated emails may then get sent to spam or not delivered at all.
So, what sending servers should be included in an SPF?
The sending server(s) of the email service provider you use to send emails.
For example, if you use your Gmail/Google Workspace account to send email on your domain’s behalf, your SPF record would look like this:
v=spf1 include:_spf.google.com ~all
Let’s explain real quick what it all means:
The V stands for version. There’s only one version in use currently, so it’s always v=spf1.
The Include tag holds the authorized sending server*
The All tag determines the result to be returned when an email fails authentication. In this case, it’s set to “soft fail,” meaning emails from unauthorized IPs should be accepted but marked as suspicious.
Other All tag policy settings are:
-all = hard fail (reject unauthorized senders)
+all = allow all (should never be used)
*You cannot have multiple SPF records, but you can add more servers by including multiple include tags. Here's an example of an SPF record with multiple Includes:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com -all
Why Do You Need SPF?
SPF improves your open rates, helping you generate more revenue for the same amount of effort.
Why does a correctly configured SPF record improve your open rates?
SPF makes your emails more secure, and ESPs reward you for this with better inbox placement.
In short, to generate the most ROI for your sales outreach, you must set up SPF for your domain.
Here Are the Steps to Setting Up an SPF Record on Cloudflare
To set up an SPF record on Cloudflare, you have to follow four main steps:
➡️ Obtain your email service provider's SPF record (the tool you send emails with on your domain's behalf)
➡️ Check if your domain has an existing SPF record (you cannot have multiple SPF records)
➡️ Add an SPF record to Cloudflare (or modify an existing record)
➡️ Validate your SPF record
Let’s look at these in more detail:
1. Obtain your email service provider’s SPF record
If you use an email service provider (Google Workspace, Office 365, etc.) to send email, you must add their sending server(s) to your SPF record.
For Office 365, for example, the SPF record may look like this:
v=spf1 include:spf.protection.outlook.com -all
However, always check with your ESP before implementing anything. ESPs may change their SPF record from time to time.
If you’re not connecting your Google Workspace, Office 365, or another ESP account to your email sending tool, things work differently.
When you use the cold email tool’s own sending infrastructure instead, you must add its sending server(s) to your SPF record, not your ESP’s.
First, figure out whose server(s) you are sending email with. Then, use their SPF record or add their server(s) to an existing SPF record.
2. Check if your domain has an existing SPF record set up
Having multiple SPF records causes complications during authentication. You can only have one SPF record configured for your domain.
Follow these steps to check if your domain already has an SPF record set up:
➡️ Log in to your Cloudflare account
➡️ On the dashboard, select your domain
➡️ Click on DNS
➡️ Check for an existing SPF record. SPF records are TXT records that always contain this string: v=spf1
➡️ If there is no SPF record, continue with step 3: "Add an SPF record to Cloudflare"
➡️ Already got an SPF record? Check what server(s) is in the include tag and whether you still need to authorize the server to send email on your domain's behalf. If you don't, you can delete the record. Ensure you're 100% certain of the record's origin before deleting or adjusting it.
➡️ If you need to keep this record, add an additional include tag to the record*, unless the same sending server is already in the record. Here's an example of an SPF record with multiple includes (and, thus, sending servers) in it: v=spf1 include:_spf.google.com include:sendingserver2.net ~all
*Don’t add too many include tags to your SPF record. SPF has a lookup limit of 10. Exceeding that can cause complications during authentication.
**Sometimes, ESPs or other email sending tools require you to add IP numbers to your record instead of URLs of sending servers. You use the ip4 tag instead of the include tag for IP numbers.
3. Add an SPF record to Cloudflare
➡️ Log in to your Cloudflare account
➡️ Select your domain from the dashboard
➡️ Click on DNS
➡️ Create a new DNS record
➡️ Select TXT as the Type
➡️ Put @ in the name field
➡️ Enter your SPF record in the Value field. For example, if you're using your Google Workspace account to send emails, the record should look like this: v=spf1 include:_spf.google.com include:sendingserver2.net ~all.
➡️ Save your record
4. Validate your SPF record
DNS changes can take up to 72 hours to propagate.
The good news is that your record usually becomes active in a few hours.
You don’t have to guess about your record’s status either. You can use a tool like MXToolbox to validate your record in just three simple steps:
➡️ Enter your domain name
➡️ Select the SPF Record Lookup tool
➡️ Hit the orange button
Keep in mind that SPF results can be inconsistent while the record is propagating. Don’t send out any emails until it’s clear that your SPF record has become fully active.
Don't Forget Other Email Authentication Methods!
After setting up SPF, you’re one step closer to your audience’s inbox.
However, to complete your technical setup, you also have to:
Set up DKIM
Set up DMARC
Set up MX records
Set them all up to maximize deliverability and boost ROI for your sales emails.
