This article describes in detail how to set up email verification using an SPF record. More information about email verification through DNS can be found in the article Emails – SPF, DKIM and DMARC.
In this article you will learn:
- What an SPF record is and what it is used for
- How to set up a basic SPF record
- How to set up a detailed SPF record
- Common problems
- Frequently asked questions
SPF record
An SPF record is a special DNS record that protects emails from abuse of the domain name by spam mail.
A spam sender can set the sender address practically arbitrarily. However, domains with an SPF record precisely define which servers are allowed to send mail with their address. Emails from other servers are then classified as spam by the recipient's system.
Many email service providers automatically classify messages from domains without an SPF record as spam, or reject them outright.
Basic SPF record setup
The basic SPF record works only for emails sent from our system. If you have domain protection set up at WEDOS Protection ⧉, or if you also use another provider of protection and email services, follow the chapter Detailed SPF record setup.
The SPF record is a TXT-type DNS record. If your domain uses WEDOS DNS servers, configure it according to the instructions DNS – Domain records. Remember that changes in DNS will take effect within 1 hour.
The basic form of the SPF record for VEDOS mail servers is:
Name TTL Type Data
(blank) 300 TXT v=spf1 mx a include:_spf.we.wedos.net -all

This record works under the following conditions:
- You send emails from the website, for example through a form, only through our mail services.
- You send emails from an email client only through our mail services, or you have forwarding set up on the mailbox (more information in the article Emails - Mailbox forwarding).
- The domain does not use AAAA records.
- You do not use WEDOS Global Protection ⧉ or any other website protection provider via proxy.
If you do not meet one of the points above, continue with the instructions in the chapter Detailed SPF record setup.
Detailed SPF record setup
If you need to enter multiple servers and/or rules, combine their SPF records into one. To do this, simply list the individual rules between the opening text v=spf1 and the closing -all. Separate the rules with spaces.
There can be at most one valid TXT record for SPF in DNS. If you have more than one, none of them will work.
Rules for individual IP addresses
If you need to include a specific IP address in the record, insert it with the prefix ip4: or ip6:. Do not insert a space between the prefix and the address itself.
If your web server is behind a WEDOS Protection ⧉ proxy, add the Webhosting IPv4 and IPv6 addresses (if available) to the basic record. You can find them in the Service addresses table in its detail (a detailed guide can be found in the article DNS - A and AAAA records).
v=spf1 mx a ip4:(replace the bracket with the Webhosting IPv4 address) include:_spf.we.wedos.net -all
If you have an AAAA record set for the domain, but otherwise use only Webhosting and VEDOS emails, add the IPv6 address to the basic record.
v=spf1 mx a ip6:(replace the bracket with the Webhosting IPv6 address) include:_spf.we.wedos.net -all
Rules for other providers
If you send emails through providers other than VEDOS, find the form of their SPF record in the documentation or other resources of that provider.
Common problems
Common SPF record problems include:
- SPF records for multiple providers do not work
- Emails stopped being delivered after adding the domain to WEDOS Protection
- WEDOS returns emails with an SPF message
Non-working SPF records for multiple providers
Problem: We entered the SPF records of all our email providers and they do not work.
Cause: You must have only one SPF record for the given (sub)domain.
Solution: If you have more than one SPF record for the (sub)domain, merge them into one according to the instructions in the chapter Detailed SPF record setup.
Non-working SPF record for a domain on WEDOS Protection
Problem: After adding the domain to WEDOS Protection, the SPF record stopped working.
Cause: The IP address of the sending server differs from the IP address listed in the domain's A/AAAA records.
Solution: Add the Webhosting IP address to the record according to the instructions in the chapter Detailed SPF record setup. You can find it in the Service addresses table in the Webhosting detail.
Returned emails from WEDOS due to SPF
Problem: Mail sent to an email address at WEDOS is returned with the error message Recipient address rejected: Please see
http://www.openspf.net/Why?s=helo;id=domena-odesilatele.tld;ip=XX.XX.XX.XX;r=wes1-mx.
Cause: This is an SPF problem on the sender's side: either it is set incorrectly, or not at all.
Solution: Until the domain administrator (DNS) fixes the SPF problem, VEDOS mail servers will reject messages from it.
Frequently asked questions
Where should I make the SPF settings?
This is a DNS record, so set SPF in the DNS records administration of your DNS provider for your domain.
Why don't you set the SPF record automatically?
Although the basic SPF record is usually sufficient, we do not have enough information about your mail services to set it correctly under all circumstances. Because an incorrect SPF setup can completely block mail, we leave the setup to you, because only you have complete information about email operation on your domain.
How do I know that a missing SPF record is the reason mail is not being delivered?
Your emails end up in the recipient's spam folder, or you receive an email bounce message mentioning rejection based on an incorrect or missing SPF record. If you send emails from a website using the mail() function, the delivery problem may be caused either by the SPF record, or by a missing or incorrect return path parameter.
If I send emails from a subdomain, is it enough to have an SPF record on the main domain?
No, create SPF records for each subdomain from which you want to send emails.
What does the -all part of the record mean?
-all means that the server should discard all emails that do not match the rules. This is the strictest verification variant.
Google documentation ⧉ uses ~all, you use -all. Does it matter?
The stricter the verification variant is (and -all is stricter than ~all), the lower the chance that someone else will successfully impersonate you. The disadvantage is that if, with the -all variant, you really send an email from an unverified source for some reason, the recipient will discard it without further questions. With the ~all variant, there is still a chance that the message will get through.