Email SPF Record Use & Syntax questions

I want to use 1 SPF record for a site that will work for Gmail and self-hosted email.

My hosting company gave me this:
v=spf1 +a +mx  ~all

AND Google gave me this:

So making 1 SPF record out of the two, I write as this:
v=spf1 +a +mx +ip4: +ip4: ~all

1. The basic SPF syntax checkers tell me that is correct (I I start thinking that I am GOOD)
2. The Email Header of an email received by Gmail from the above domain says "SPF Neutral  ( is neither permitted nor deniedby best guess record for domain of (Now I am thinking that I am NOT GOOD!)
3. I am also confused as the difference between using "include" vs. "+include" vs. "ip4:"  vs. "+ip4"

Thanks in advance for any help with this !!
- B
Who is Participating?
nociSoftware EngineerCommented:
+ means ALLOW
- means DISALLOW
~ means test using other means...
a = a record of domain
mx = the mail receivers of a domain. (should only be mentioned if the mail receivers ALSO send the mail).
ipv4 = ipv4 addresses you want to give a honorable mention
include use also from those records...

so ipv4 = +ipv4 = include this as positive valid send for the domains
  -a would mean the a address on the domain may not send mail.
~all means for all others  check other means (dkim, spam checkers...).   (this should be the assumption if there is NO spf record.
-all would disallow all other addresses.   (should be the ending of the mail SPF after testing showed it worked/
+all would be counter productive, allow anyone to use your domain...
don't forget about ipv6 addresses ..
I believe that you should remove "a" and "mx" and simply keep ip4 and included lookups for Google
MX should be used when same servers receiving emails would be used to send  emails out which is not the case in case of google i believe
If mx is specified, it will resolve to A record and that A record would be checked for reverse dns and any failure in resolution may create issues if records not configured correctly
Hence use ip4 with all IPs and included lookups from Google
Check how O365 SPF record is constructed
Ip4 should contains all sending server ips of non google solution
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

Remember you have to allow tour DNS TTL to expire before your new record is used.

For a quick check:
mtoolbox spf checker is a fancy tool to check your SPF record - moreover, it gives detailed explanations on each entry. Make sure you try it!!

SPF reference here (openspf)

+ :Default qualifier, if omitted, is + so

Open in new window


Open in new window

are equivalent. searches domain for allowed SPF senders

MX is used when you want to specify IPs of MX records of sender domain (allows to change MXes without changing SPF RR) - in your case is probably redundant but no harm done.

A is used when you want to specify all A RR of sender domain. In your case allows all IPs of your domain to pass SPF validation when sending email. Your hosts do send emails (maybe a internal relay server who needs to send email to the world)? Does any host other than google's send email on behalf og your domain?  yes,keep it. No, delete it.

To print SPF record of along with associated TTL:
dig TXT | grep spf

Open in new window

Mal OsborneAlpha GeekCommented:
The "+" is optional, and usually omitted.

The ~all, is not a pass or fail, but rather a "softfail", meaning ignore SPF, it is not really working. It is kinds like a "Beta Fail"

So, give the record you have, you should see a pass for from email from your something that maps to your domain (A), something that has an MX record for your domain  pointing to it (MX), or or Additionally, any IPs is Googles SPF record should manage a pass.  Anything else should return a softfail.

The "Neutral" being returned is a bit confusing. This means some mechanism matched to A "?" qualifier, but you have none of those in your SPF record, nor does Googles include.

Wikipedia have a quite a good "101 level" explanation of how all this works.
Just to sum up, comments above are consistent with mine. So why are you seeing the error you describe? Probably because if DNS propagation time. Check again now and let us know the outcome. Should the error persist, use a SPF checker such as the one i posted above to exclude issues other than SPF RR contents
The Email Header of an email received by Gmail from the above domain says "SPF Neutral  ( is neither permitted nor deniedby best guess record for domain of (Now I am thinking that I am NOT GOOD!)

Something doesn't match up, because the SPF record you posted above will never return a "neutral" result. The ~all mechanism at the end prevents this. Are you sure the SPF record you posted above is actually the one your domain is using?
nociSoftware EngineerCommented:
~all still means ANY mailserver is allowed as Sender for that domain... and other references need to be used to validate.
-all would mean block any other sender...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.