How to Set Up SPF for Cold Email (Step-by-Step)

Set up SPF for cold email the right way: which tools need their own include, which don't, plus step-by-step DNS setup for Cloudflare, GoDaddy & more.

11 min readColdScore Team

If you just set up Instantly, Smartlead, or another cold email tool, the question lands almost immediately: what SPF include do I add for my platform? Every generic guide tells you to "add your provider's SPF include," but none of them tell you whether Instantly or Lemlist even is the provider. Here's exactly how to set up SPF for cold email, including which platforms actually need their own record and which ones don't.

The short answer: what your SPF record needs

Your domain needs exactly one SPF TXT record. That record should include your mailbox provider (Google Workspace or Microsoft 365), not your cold email tool. The cold email SPF setup most SDRs overthink is actually simpler than it looks.

For Google Workspace:

v=spf1 include:_spf.google.com ~all

For Microsoft 365 (per Microsoft's SPF documentation for Microsoft 365):

v=spf1 include:spf.protection.outlook.com ~all

Most cold email tools (Instantly, Smartlead, Lemlist, Woodpecker, Mailshake) send through your connected Google or Microsoft mailbox. Your mailbox provider's include already covers them. The one exception is Reply.io, which sends from its own servers and needs include:spf.reply.io added to your record.

The most common SPF problem we flag in scans isn't a missing include. It's a duplicate SPF record, created when someone adds a second sending tool without merging it into the existing record. More on that below.

Not sure what your SPF looks like right now? Check your SPF setup free in 30 seconds →

What SPF actually does for cold email

SPF is a setting on your domain that tells email providers which servers are allowed to send mail on your behalf, so they can reject anyone trying to impersonate you. It's spoofing protection at the sending level.

This matters more than it did even two years ago. Google and Yahoo started enforcing email authentication for all senders in February 2024, requiring SPF or DKIM (either satisfies the baseline). Both SPF and DKIM, plus DMARC, are required only if you send more than 5,000 messages per day. Microsoft followed in May 2025, with enforcement targeting senders of 5,000 or more messages per day to Outlook, Hotmail, and Live consumer addresses. Without SPF, cold emails from a new sending domain are increasingly rejected or routed to spam before they reach anyone's inbox.

Google's email sender guidelines cover the full requirement tiers.

There's one technical limit worth knowing (the 10-lookup rule, covered below), but adding the record itself takes under 5 minutes.

Which cold email platforms need their own SPF include

Here's the part most guides skip: your cold email tool probably isn't actually sending your email. Tools like Instantly and Smartlead connect to your existing Google Workspace or Microsoft 365 mailbox and send through its servers. The server doing the actual sending is Google's or Microsoft's, which your SPF record already authorizes.

That's why there's no "SPF for Instantly" or "SPF for Smartlead" include tag to add. If you've been searching for an Instantly SPF include to add, that's exactly the confusion Instantly's own setup content creates. It doesn't explain the sending model clearly. Here's the platform-by-platform breakdown.

| Platform | Needs its own SPF include? | What to add to your SPF | Why | |----------|---------------------------|-------------------------|-----| | Instantly | No | Nothing — your Google or Microsoft include covers it | Sends through your connected Google or Microsoft mailbox | | Smartlead | No | Nothing — your Google or Microsoft include covers it | Sends via your connected mailbox; SmartSenders auto-configures Namecheap DNS | | Lemlist | No | Nothing — your Google or Microsoft include covers it | "Do NOT include lemlist. lemlist doesn't send emails directly, your provider does." | | Woodpecker | No | Nothing — your Google or Microsoft include covers it | "There's no need to include Woodpecker in your SPF. Woodpecker sends emails using your own servers." | | Mailshake | No | Nothing — your Google or Microsoft include covers it | Sends via your Google Workspace or Microsoft 365 account | | Reply.io | Yes | include:spf.reply.io | Sends via Reply.io's own infrastructure, not your mailbox |

Lemlist's own documentation confirms this: only include your actual email provider, never Lemlist itself. Woodpecker's help docs say the same. If the Instantly and Smartlead rows surprised you: Instantly's own help article documents the sending model but doesn't surface it prominently in setup flows.

Reply.io caveat: One catch: even with include:spf.reply.io in place, Reply.io routes mail through its own infrastructure, which can make DMARC alignment harder to achieve than it is with Google or Microsoft. If your domain has DMARC enforcement turned on (p=quarantine or p=reject), verify your own setup before relying on Reply.io for DMARC-critical sending: run a scan on your domain and check Reply.io's current documentation to confirm what alignment options are available. MXToolbox's outbound source record for Reply.io documents the infrastructure details directly.

If you send from a dedicated cold-outreach domain (which doesn't actually isolate your sending reputation the way most people think), the same SPF rules apply: include your mailbox provider, add Reply.io only if you use it, and merge everything into one record.

Platform include tags verified against official documentation on 2026-06-03. Verify your tool's current docs before publishing your record.

How to set up SPF for cold email in your DNS provider

Here's how to set up SPF for cold email in each major DNS provider. Once you know what goes in your record, adding it is a 2-minute task in your DNS dashboard. Find your provider below.

Cloudflare

Cloudflare SPF setup for cold email is one of the fastest. Changes go live almost immediately.

  1. Log in at dash.cloudflare.com
  2. Select your domain, then go to DNS > Records
  3. Click Add record
  4. Set Type to TXT, Name to @, and Value to your SPF record
  5. Click Save

Changes propagate almost instantly. No waiting around.

GoDaddy

  1. Log in to GoDaddy and go to My Products > DNS at dcc.godaddy.com/domains
  2. Click Add New Record
  3. Set Type to TXT, Host to @, and TXT Value to your SPF record
  4. Click Save

GoDaddy changes typically go live within a few minutes.

Namecheap

Namecheap SPF setup follows their Advanced DNS panel.

  1. Log in to Namecheap and go to Domain List at ap.www.namecheap.com/domains/list/
  2. Click Manage next to your domain, then click Advanced DNS
  3. Click Add New Record, then select TXT Record
  4. Set Host to @ and Value to your SPF record
  5. Click the checkmark to save

AWS Route 53

  1. Open the Route 53 console at console.aws.amazon.com/route53/
  2. Go to Hosted Zones and select your domain
  3. Click Create Record
  4. Set Type to TXT, leave Name blank or enter @, and paste your SPF record as the Value, wrapped in double quotes
  5. Click Create records

Route 53 requires the record value wrapped in double quotes in the input field. For example: "v=spf1 include:_spf.google.com ~all"

Vercel DNS

  1. Open your project in the Vercel Dashboard and go to Settings > Domains
  2. Select your domain, then scroll to DNS Records and click Add
  3. Set Type to TXT and Name to @
  4. Paste your SPF record value and click Add

Vercel DNS doesn't support inline record editing. To update your SPF record, delete it and re-create it with the new value.

Common SPF mistakes that break your cold email deliverability

These are the three misconfiguration patterns our scanner flags most often. All three are fixable in under five minutes.

Mistake 1: Two SPF records instead of one

This is the single most common trap we see. An SDR runs Google Workspace campaigns through Instantly. Their SPF record is v=spf1 include:_spf.google.com ~all. They then add Reply.io and, because every guide tells them to "add your platform's include," they create a second TXT record: v=spf1 include:spf.reply.io ~all.

Now two SPF records exist on the same domain. The email standard forbids this. Receiving servers return a permanent error and treat your SPF as failed entirely. Your sending sources are unauthenticated, and your deliverability suffers with no error message telling you why. Our scanner flags this as SPF_MULTIPLE_RECORDS.

Merge both includes into a single record:

v=spf1 include:_spf.google.com include:spf.reply.io ~all

One record. All your authorized senders listed within it.

Mistake 2: Using +all (the open door)

+all tells every mail server on the internet that it's authorized to send as you. It's the worst possible SPF setting: zero spoofing protection, while technically having an SPF record. Our scanner flags this as SPF_PLUS_ALL.

End your record with ~all during setup or -all once your setup is stable. Never +all. Ever.

Mistake 3: Stacking too many sending tools in your record (the 10-lookup limit)

The email standard caps SPF evaluation at 10 DNS lookups. Each include: counts as one lookup, and the records those includes point to may resolve additional lookups underneath. A domain sending via Google Workspace, Reply.io, and a transactional email provider can approach this limit faster than expected.

If you exceed 10 lookups, receiving servers return a configuration error and your SPF fails even if the record looks correct. Our scanner flags this as SPF_TOO_MANY_LOOKUPS. The fix: remove includes for sending services you no longer use and audit what each include resolves to.

How to verify your SPF is working

Check your SPF setup free in 30 seconds →

Our scanner checks for SPF_MULTIPLE_RECORDS, SPF_TOO_MANY_LOOKUPS, SPF_PLUS_ALL, and six other specific issues. If any of them fire, your SPF isn't protecting you, even if the record technically exists and passes a basic syntax check.

DNS changes take a few minutes to go live. If the scanner shows SPF missing immediately after you save, wait five minutes and scan again. Once SPF is confirmed, check if you pass Google's bulk sender requirements. SPF is one piece of a larger compliance picture.

Frequently asked questions about SPF for cold email

Do I need to add Instantly to my SPF record?

No. Instantly sends email through your connected Google Workspace or Microsoft 365 mailbox. Your SPF record already covers Instantly as long as it includes your mailbox provider's include tag: include:_spf.google.com for Google or include:spf.protection.outlook.com for Microsoft. There's no Instantly-specific SPF tag to add; Instantly doesn't have one. The same applies to Smartlead, Lemlist, Woodpecker, and Mailshake.

Can I have two SPF records on the same domain?

No. The email standard requires exactly one SPF record per domain. If you have two lines starting with v=spf1, receiving servers are required to treat your SPF as invalid. Merge all your includes into a single record. Our scanner flags this configuration as SPF_MULTIPLE_RECORDS. It's one of the most common issues we see on cold outreach domains.

What is the 10-lookup limit and will I hit it?

SPF evaluation is capped at 10 DNS lookups. Each include: directive counts as one lookup, and the records those includes resolve to may trigger additional lookups of their own. A domain sending via Google Workspace, Reply.io, and a transactional service like SendGrid uses roughly 3–5 lookups total and is safely within the limit. If you're stacking many services, our scanner flags SPF_TOO_MANY_LOOKUPS before you have to guess whether you've crossed the line.

Should I use -all or ~all for cold email?

Start with ~all (soft fail) during setup and warmup. Soft fail means mail from unauthorized servers is still delivered but flagged, which is useful while you confirm all your sending sources are properly listed. Switch to -all after a few weeks of sending. Run a scan first to confirm nothing legitimate is being blocked. Our scanner flags ~all-only records as medium severity, not critical. It's fine while you're getting established, but it shouldn't be a permanent setting.

Is SPF enough for cold email deliverability?

No. SPF alone is necessary but not sufficient. Google and Yahoo require SPF or DKIM for all senders. Both SPF and DKIM, plus DMARC, are also required for bulk senders above 5,000 messages per day. Microsoft enforces the same thresholds for mail sent to Outlook, Hotmail, and Live addresses. For the complete picture, check if you pass Google's bulk sender requirements. SPF is the foundation, and DKIM and DMARC build on top of it.

Your SPF record is one of three email authentication settings (SPF, DKIM, and DMARC) that determine whether your cold emails reach the inbox. Once it's in place, check that DKIM and DMARC are also configured correctly. All three work together, and a gap in any one of them can silently drain your inbox placement.

Scan your domain now — free, 30 seconds →

Keep reading