SPF is a DNS TXT record that specifies which IP address(es), domains, and/or servers are allowed to send email “from” a particular domain. It’s essentially like the return address placed on a letter or postcard that lets the recipient know who sent the communication. The idea is that if they know who sent them the letter, the recipient is more likely to open it.
Create processes in your organization for ongoing SPF monitoring and management. This periodic review should consider onboarding/off-boarding 3rd-party vendors where appropriate. Having a formal “off-boarding” process that takes into account DNS hygiene once a 3rd-party is no longer used is a good organizational policy to have in place as well.
Build directives in your SPF record with the following considerations:
explicit mechanisms first (IP addresses)
followed by mechanisms that induce a DNS query
includes last
if possible, list the highest volume sources first to minimize DNS queries
If all email from your organization is sent using Google Workspace only, this sample SPF record should work for your domain:
v=spf1 include:_spf.google.com ~all
If all email from your organization is sent using Office 365 only, this sample SPF record should work for your domain:
v=spf1 include:spf.protection.outlook.com -all
Tools to check your SPF Record: