How to Set Up an SPF Record in Cloudflare (The Right Way)
A founder on r/webhosting posted about losing $50k in ARR - twice - because a duplicate SPF record silently sent their emails to spam. Nobody told them. No alert fired. Deals just stopped closing.
If you manage DNS through Cloudflare, getting your SPF record right isn't optional. Google and Yahoo started enforcing SPF, DKIM, and DMARC requirements for bulk senders in February 2024, and enforcement has only tightened since. If your authentication is broken, your outbound is broken. Let's fix it. (If you need the full baseline, start with authenticate email.)
What Is an SPF Record?
SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which IP addresses can send email for your domain. The flow is simple: someone gets your email, their server pulls your SPF record from DNS, and checks the connecting IP against it. Match means pass. No match means your message lands in spam or gets rejected outright.
One critical detail - SPF is published as a TXT record type, not a dedicated "SPF" type. The SPF record type was deprecated in RFC 7208. If you see an option for it in your DNS panel, ignore it.
SPF Syntax Cheat Sheet
Every SPF record starts with v=spf1 and ends with an all mechanism.
Mechanisms
| Mechanism | What It Does | DNS Lookup? |
|---|---|---|
include: |
Authorizes another domain's SPF | Yes |
ip4: |
Authorizes a specific IPv4 address/range | No |
ip6: |
Authorizes a specific IPv6 address/range | No |
a |
Authorizes the domain's A record IP | Yes |
mx |
Authorizes the domain's MX hosts | Yes (often 2+) |
all |
Catch-all at the end | No |
Qualifiers
| Qualifier | Meaning |
|---|---|
+ |
Pass (default, usually omitted) |
- |
Hard fail - reject |
~ |
Soft fail - accept but flag |
? |
Neutral |
A clean, modern SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net -all
You'll see v=spf1 a mx ~all in a lot of tutorials. Don't copy it. The a and mx mechanisms waste DNS lookups and don't match how modern email infrastructure actually works - your mail goes through a provider, not your web server's IP. If you want a deeper primer, see our SPF record guide.
Common Provider SPF Includes
Bookmark this table. You'll need it every time you add a new email tool.
| Provider | SPF Include | Lookups |
|---|---|---|
| Google Workspace | include:_spf.google.com |
1 |
| Microsoft 365 | include:spf.protection.outlook.com |
1 |
| Mailchimp | include:servers.mcsv.net |
1 |
| SendGrid | include:sendgrid.net |
1 |
| Salesforce | include:_spf.salesforce.com |
1 |
| Amazon SES | include:amazonses.com |
1 |
A combined record for a team using Google Workspace, SendGrid, and Mailchimp:
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all
That's 3 lookups. Clean, readable, well under the limit. For more copy-paste patterns, use these SPF record examples.
Adding an SPF Record in Cloudflare
- Log in to Cloudflare and select your domain.
- Go to DNS > Records > Add Record.
- Set the fields:
- Type: TXT
- Name:
@(targets your root domain - use the subdomain name instead if you're setting up SPF for something likemail.yourdomain.com) - Content: Your SPF string, e.g.
v=spf1 include:_spf.google.com -all - TTL: Auto
- Click Save.
Propagation usually takes minutes, though it can stretch to an hour. Cloudflare's DNS is free on all plans - no paid tier needed for this. If you're unsure what "normal" looks like, here's a full breakdown of how long do SPF records take to propagate.
You're setting up SPF so your outbound actually lands. But authentication only works if the emails you're sending to are real. Prospeo's 5-step verification delivers 98% email accuracy - bounce rates under 4% across 15,000+ companies.
Fix your SPF, then fill your pipeline with emails that won't bounce.
Merging Multiple SPF Records
Here's the thing: you can only have one v=spf1 TXT record per hostname. Your root domain is one hostname; each subdomain is another. Two records cause a PermError, and PermError means SPF fails entirely. One industry analysis puts SPF error rates at 2.9% - including duplicates exactly like this.
Before (broken):
v=spf1 include:_spf.google.com ~all
v=spf1 include:sendgrid.net ~all
After (fixed):
v=spf1 include:_spf.google.com include:sendgrid.net -all
In Cloudflare, go to DNS > Records, filter for TXT records, and look for anything starting with v=spf1. If you see two, delete one and merge all the include: mechanisms into a single record. One v=spf1 at the start, one -all at the end. We've seen this exact mistake tank deliverability for weeks - it's the single most common SPF failure mode, and it's completely silent unless you're actively checking. (Related: SPF record DNS troubleshooting.)
The 10-DNS Lookup Limit
RFC 7208 enforces a hard limit of 10 DNS lookups during SPF evaluation. Exceed it and receivers return PermError - your SPF effectively doesn't exist.
What Counts vs. What Doesn't
| Counts as a Lookup | Doesn't Count |
|---|---|
include: |
ip4: |
a |
ip6: |
mx (often 2+) |
all |
ptr (deprecated) |
|
exists |
|
redirect |
The sneaky part: providers can change their own include chains without telling you. Google's _spf.google.com resolves to nested includes that consume multiple lookups under the hood. What's under the limit today might not be next month.
How to Stay Under the Limit
- Replace
aandmxwith explicitip4:entries - zero lookup cost - Move marketing tools to a subdomain like
mail.yourdomain.com - Monitor your lookup count monthly with MXToolbox or Kitterman
- Drop includes for services you've stopped using
- Skip manual SPF flattening (resolving includes to raw IPs) unless you're using an automated flattening service - manual flattening breaks when providers rotate IPs, and you won't know until your emails start bouncing (see SPF flattening for the tradeoffs)
Also watch the 255-character-per-string limit in DNS TXT records. Cloudflare handles splitting automatically, but if you're debugging raw DNS output, long records get split into multiple quoted strings. That's normal.
Cloudflare-Specific Gotchas
The consensus on r/CloudFlare is that post-migration deliverability disasters are shockingly common. Most of them come down to three things:
Proxy status matters. Your MX records must be DNS-only (gray cloud). Any hostname involved in mail server connections should be DNS-only as well. If you proxy a mail-related hostname with the orange cloud, you'll break SMTP connections and DKIM verification. This is the #1 mistake after migrating to Cloudflare, and we've watched teams debug it for days before finding the toggle. (If you’re auditing mail routing, start with an MX record lookup.)
TXT formatting quirk. Cloudflare's UI can flag SPF records as invalid due to quotation mark handling. If your record looks wrong after saving, open it and re-save. Cloudflare auto-formats the quotes on save, which usually fixes the display issue.
No dedicated SPF type. Publish SPF as a TXT record. That's correct and intentional - the SPF RR type is deprecated.
How to Verify Your SPF Record
Don't guess. Check. Start with a quick terminal command:
dig TXT yourdomain.com +short
That gives you the raw record in seconds. Then validate with dedicated tools:
- MXToolbox SPF Lookup - fast, detects duplicates, recursive loops, and deprecated record types.
- Kitterman SPF Validator - detailed lookup breakdown showing exactly how many lookups each include chain consumes.
- dmarcian SPF Survey - visual include chain map, great for understanding nested dependencies.
Run all three after any change. It takes two minutes and saves you from the kind of silent failure that cost that founder $50k. If you want a broader workflow, follow our SPF DKIM DMARC check guide.
SPF Alone Isn't Enough
SPF authenticates the sending server. DKIM signs the message content. DMARC sets the policy for what happens when checks fail. You need all three.
Look - perfect authentication is table stakes, not a competitive advantage. The thing that actually separates teams with great deliverability from everyone else is list quality. Sending to invalid addresses generates bounces, and bounces destroy your sender reputation faster than almost anything else. In our experience working with outbound teams, the pattern is always the same: they nail SPF, DKIM, and DMARC, then torch their domain by blasting a list full of dead addresses. Before you launch any campaign, run your list through an email verification tool like Prospeo - 98% accuracy with catch-all handling and spam-trap removal. If you're trying to keep bounces in check, see our average bounce rate for email campaigns benchmarks. The free tier gives you 75 verifications a month, enough to validate a target list before launch.
Broken SPF records silently kill deals. Bad contact data does the same thing. Prospeo refreshes 300M+ profiles every 7 days - not every 6 weeks - so you're never sending to stale addresses that trigger spam filters you just spent an hour configuring.
Don't let outdated data undo all your DNS work.
FAQ
Can I have multiple SPF records on one domain?
No. RFC 7208 requires exactly one v=spf1 TXT record per hostname. Multiple records cause a PermError - SPF fails entirely. Merge all include: mechanisms into a single record with one v=spf1 prefix and one -all suffix.
Should I use -all or ~all?
Use ~all during initial testing, then switch to -all within a week once all legitimate senders are confirmed. Softfail tells receivers "probably unauthorized, but let it through" - that defeats the purpose of SPF enforcement long-term.
Does Cloudflare's proxy affect email authentication?
SPF itself isn't affected since it's a TXT record lookup. But proxying mail-related hostnames (orange cloud) can break SMTP connections and DKIM verification. Keep all mail-related DNS entries set to DNS-only (gray cloud).
How do I check my SPF lookup count?
Paste your domain into MXToolbox's SPF checker or Kitterman's validator - both display the total recursive lookup count. You have a hard cap of 10. If you're at 8+, replace a and mx mechanisms with ip4: entries and audit unused includes.
What's the best way to protect deliverability beyond SPF?
Proper SPF, DKIM, and DMARC alignment is the baseline. After that, the biggest deliverability killer is bounce rate from bad contact data. Verifying emails before you send keeps bounces under 3% - the threshold most ESPs flag.