DNS Record Explainer

v=spf1 — declares this as SPF version 1, required opener for every SPF record.

include:_spf.google.com — authorizes all IP ranges published in Google's SPF record. The resolver will query _spf.google.com's SPF record and merge those results into yours. Google maintains this to cover Gmail, Workspace, and related services.

include:mailgun.org — same pattern for Mailgun. Any IPs listed in mailgun.org's SPF record are now authorized to send mail on your domain's behalf.

~all — softfail on everything else. Mail from unlisted IPs gets tagged but still accepted by most receivers. It's a warning, not a block. This is standard for gradual SPF rollouts.

• No issues detected. This is a clean, typical setup for a domain using Google Workspace + Mailgun for transactional email.

• Worth noting: SPF effectiveness depends on receiver behavior. Many major mailboxes (Gmail, Outlook) respect it; some don't enforce it strictly. It's one piece of auth, not a guarantee.

• The includes point to externally managed records. If Google or Mailgun changes their IPs without updating their SPF records, your auth will break. Monitor this if mail suddenly stops authenticating.

• If you're also running your own mail server, you'll need to add your own IP(s) separately, e.g., `ip4:203.0.113.50` before or after the includes.

SPF tells receiving mail servers which systems can legitimately send email for your domain. Without it, your mail from these services has no cryptographic proof of permission—easier to spoof and more likely to hit spam folders. This record is foundational; DKIM and DMARC layer on top for stronger authentication.

→ /tools/spf-checker run the live checker on a real domain → /blog/spf-10-dns-lookup-limit