DNS Record Explainer

v=spf1 — SPF version 1. Required, always comes first. Tells receivers this is an SPF policy.

include:_spf.google.com — Pulls in Google's SPF record. Your domain authorizes any IP that Google's SPF permits. Google maintains this list; you inherit their changes automatically.

include:mailgun.org — Authorizes Mailgun's sending infrastructure. Same mechanism as Google—you're delegating to their SPF record.

~all — Soft fail on everything else. Mail from IPs not covered by the includes still goes through, but gets marked as questionable. Receivers treat it as "probably not spam but unconfirmed." This is safer than -all (hard fail) when you're still adding senders and might miss one.

• No hard failure mechanism. If you add another sender later and forget to include them, mail won't bounce—it'll just soft-fail. Consider upgrading to -all once you've locked down all legitimate senders.

• Two includes is reasonable, but each include counts toward the 10-include limit. If either Google or Mailgun's SPF records themselves use includes, those nested includes also count. You can check with `dig _spf.google.com txt` to see their actual policy.

• No A, MX, or explicit IP ranges. This works fine if all your outbound mail goes through Google and Mailgun, but if your domain's A record or MX server also sends mail, they need explicit permission. Add `a` or `mx` if that applies.

• Missing DKIM/DMARC. SPF alone won't prevent header-from spoofing. Add DKIM and a DMARC policy pointing to both SPF and DKIM for stronger protection.

SPF prevents someone else from sending mail claiming to be from your domain by checking whether the sending server's IP is authorized. Without SPF, a third party can easily forge mail headers. With this record, receivers reject or quarantine mail from unauthorized IPs. The soft-fail approach works for most setups but gives you no safety net—test thoroughly before switching to -all.

→ /tools/spf-checker run the live checker on a real domain → /blog/spf-10-dns-lookup-limit