Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner · 6 min read · Reviewed Jul 4, 2026

Quick answer

Email service providers authorize outbound mail by publishing SPF policies on dedicated hostnames or by documenting IP ranges customers must add. Your domain typically references them with include mechanisms. Each provider has distinct setup instructions, and using outdated macros after migrations is a frequent cause of SPF failure when sending through SaaS platforms.

Beginner explanation

Most organizations no longer send all email from one on-premise server. Marketing automation, CRM, support desks, and transactional platforms each send on your behalf from their own infrastructure.

Providers solve this by publishing SPF records you can reference with include, or by giving you explicit IP ranges. Your job is to combine those authorizations into one coherent policy at your domain without breaking lookup limits.

Every provider documents slightly different hostnames and migration paths. Treat provider SPF instructions as living documentation, not one-time setup steps.

Technical explanation

Major ESPs maintain centralized SPF include domains such as spf.protection.outlook.com for Microsoft 365 or _spf.google.com for Google Workspace. Smaller vendors may ask you to include a branded hostname or publish several ip4 mechanisms.

When evaluating providers, check whether they support custom return-path domains. Custom bounce domains may require SPF records on a subdomain while the root domain policy covers employee mail. Provider documentation should specify both envelope and DKIM signing domains.

Provider SPF assets change during infrastructure upgrades. Subscribe to vendor status communications and re-validate after major platform changes. A provider consolidation in their backend can alter nested includes that your domain depends on indirectly.

Business impact

Missing provider authorization blocks or filters email from revenue-impacting systems. Sales sequences, billing notices, and product alerts fail silently or land in spam while internal Exchange or Google mail still works, masking the root cause.

Over-authorizing providers—keeping includes for vendors you no longer use—expands spoofing surface and wastes lookup budget that future tools will need.

Common mistakes

- Authorizing only the root marketing platform while neglecting transactional or CRM senders
- Using community blog posts instead of the vendor's current DNS documentation
- Removing an include when pausing a service, then forgetting to restore it when the service resumes

How SPF Manager helps

SPF Manager maintains a catalog of common provider SPF patterns and detects which includes in your record map to known services. It highlights undocumented or unrecognized includes that may be stale.

When onboarding a provider, guided setup shows the exact include or IP mechanisms to add and previews lookup impact before you commit DNS changes.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Providers

Provider SPF Synchronization

Provider SPF synchronization keeps your DNS policy aligned with the email services your organization actually uses.

Intermediate 7 min read

Microsoft 365

Microsoft 365 SPF Setup

Microsoft 365 requires include:spf.protection.outlook.com in your SPF record to authorize Exchange Online outbound mail.

Beginner 6 min read

Google Workspace

Google Workspace SPF Setup

Google Workspace uses include:_spf.google.com to authorize Gmail and Google Apps SMTP infrastructure for your domain.

Beginner 6 min read

SPF Basics

SPF Include Mechanism

The SPF include mechanism authorizes another domain's SPF policy as part of your own, enabling third-party senders without listing every IP.

Beginner 5 min read