SPF (Sender Policy Framework) is a single DNS TXT record that lists which servers may send email for your domain. Setting it up takes a few minutes and stops the simplest form of spoofing. Here is how to do it correctly.
Step 1: list your senders
Write down every service that sends mail as your domain: your mailbox provider (Google Workspace, Microsoft 365), plus any marketing, invoicing, helpdesk or CRM tools. Each one publishes an SPF include you will need.
Step 2: build the record
An SPF record starts with v=spf1, lists your senders, and ends with an all mechanism. For a domain sending through Google Workspace and one marketing tool:
v=spf1 include:_spf.google.com include:sendgrid.net -all
include:pulls in a provider's authorized servers.-all(hardfail) tells receivers to reject anything not listed. This is the strongest ending and the one to aim for.~all(softfail) marks unlisted mail as suspicious instead of rejecting. Use it only while testing.
Step 3: publish one record
Add the record as a TXT record on your root domain. Publish exactly one SPF record. Two SPF records is a configuration error that causes a permerror and breaks authentication.
Step 4: watch the ten lookup limit
SPF may trigger at most ten DNS lookups when evaluated. Each include counts, and providers stack up fast. If you cross the limit you get a permerror. See how to fix SPF too many DNS lookups.
Step 5: verify
Publish, wait for DNS to propagate, then scan your domain to confirm the record is valid, within the lookup limit, and ends with a strong all qualifier.
Reads public DNS only. Nothing is stored unless you save the domain to an account.