DNS Record Explainer

v=spf1 — SPF version 1, the only currently used version. Required as the first tag in every SPF record.

include:_spf.google.com — pulls in Google's SPF policy (typically their IP ranges for Gmail/Workspace). Your domain trusts Google's infrastructure to send mail on your behalf. Google maintains that SPF record; if they change their IPs, your policy updates automatically.

include:mailgun.org — same mechanism for Mailgun (transactional email service). Delegates to their published SPF record.

~all — soft fail. Any server not listed in the includes is allowed to send mail from your domain, but recipients' servers will flag it as suspicious (SPF fail, not hard reject). This is a permissive catch-all.

• Soft fail (~all) is risky in production. If someone spoofs your domain from an unlisted IP, mail still goes through; only reputation takes a hit. Consider -all (hard fail) once you've verified all legitimate senders are covered.

• Two includes is fine, but you're at 3 DNS lookups (one for each include + the base query). SPF has a lookup limit of 10; you're safe here, but adding more services pushes that risk.

• Missing context: do you actually own/control mailgun.org, or should this be include:mailgun.com? (mailgun.org is less common; verify you meant it.)

• No A or MX records in the policy. If your own server sends mail, you likely need to add those explicitly.

SPF prevents basic spoofing of your domain in SMTP. Without it, anyone can claim to be [email protected], and most receivers won't stop it. With this record, receivers check: "Is the sending IP listed?" If no—and you set -all—they reject or quarantine.

This record alone isn't enough. Add DKIM and DMARC records to lock down authentication completely. Many providers (Gmail, Yahoo, etc.) require DKIM or DMARC for delivery now, especially in bulk volumes.

→ /tools/spf-checker run the live checker on a real domain → /blog/spf-10-dns-lookup-limit