Last updated: July 2026
In short: Following this guide creates a valid SPF record for your dogado web hosting (via CloudPit or oneHome). Receiving mail servers can then identify authorized senders and block domain spoofing attempts.
Prerequisites
- An active web hosting or email plan at dogado
- Access to your customer panel — depending on your contract, either CloudPit or oneHome
What is SPF?
SPF (Sender Policy Framework) is an email authentication standard published as a TXT record in your domain’s DNS. As dogado summarizes clearly in their official docs: SPF wird verwendet, um Spammer davon abzuhalten, eine E-Mail-Adresse Ihrer Domain als Absender-Adresse zu nutzen (“SPF is used to prevent spammers from using an email address on your domain as their sender address”).
When an external mail server receives a message claiming to originate from your domain, it looks up your SPF record to verify whether the sending IP address is authorized. If the record is missing or incorrect, your legitimate messages risk being marked as spam or rejected.
For context: SPF only protects against forging the technical envelope sender (Return-Path). Only when paired with DKIM and DMARC does your domain achieve complete protection against spoofing.
The starting point at dogado: CloudPit vs. oneHome
Depending on which platform manages your contract, you configure your DNS records using either CloudPit or oneHome. In both panels, you create a TXT record on your root domain.
For standard dogado web hosting, the recommended SPF record is:
v=spf1 a mx include:secure-mailgate.com ~all
The include target secure-mailgate.com resolves behind the scenes to dogado’s central outgoing mail IP ranges (v=spf1 ip4:46.243.95.179 ip4:46.243.95.180).
Important note: The divergence between ~all and -all
When reviewing dogado’s documentation, you will notice an interesting divergence between the guides for their two customer panels:
- In the CloudPit tutorial, dogado recommends Softfail:
v=spf1 a mx include:secure-mailgate.com ~all - In the oneHome tutorial, dogado documents Hardfail:
v=spf1 a mx include:secure-mailgate.com -all
We strongly recommend starting and operating with ~all (Softfail). Enforcing a hard -all immediately can cause delivery failures when customers or partners forward your emails through automatic forwarders (such as forwarding to a personal Gmail account). Only after monitoring your mail traffic via DMARC and verifying DKIM alignment across all forwarders should you consider transitioning to -all.
Step-by-step guide
1. Check whether an SPF record already exists
Query your domain via terminal to see if an SPF record is currently active:
dig TXT example.com +short | grep spf1
If the command returns an existing string starting with v=spf1, edit that existing record rather than adding a new one. A domain must never publish more than one SPF TXT record.
2. Open DNS management
The navigation path depends on which customer portal you use:
Option A: CloudPit
As dogado documents: Melden Sie sich am CloudPit an. (“Log in to CloudPit.”) Then navigate to your domain’s settings: Klicken Sie anschließend auf den Punkt Webhosting und bei der entsprechenden Domain auf Aktionen und DNS-Verwaltung. (“Click on Webhosting, then click Actions and DNS Management for the corresponding domain.”)
Option B: oneHome
In the alternative control panel: Zunächst loggen Sie sich ins oneHome ein. (“First log in to oneHome.”) Open the DNS record management area for your domain there.
3. Create or edit the TXT record
Create a new TXT record (or modify the existing entry) using the following parameters:
- Name / Hostname: Leave this field blank for the root domain (
Unter Name (7) fügen nichts ein und lassen das Feld leer.) - Value / Text:
v=spf1 a mx include:secure-mailgate.com ~all - TTL: Keep the default setting (
Lassen Sie TTL (8) auf den Standardwert von 600.)
Save your changes.
4. Special cases: Microsoft 365 or Hosted Exchange at dogado
If you use Microsoft 365 or Hosted Exchange through dogado instead of the standard web hosting mail service, different include targets apply:
- For Microsoft 365 without Secure-Mailgate:
v=spf1 a mx include:spf.protection.outlook.com ~all - If your setup transmits email via both standard web hosting and Microsoft 365:
v=spf1 a mx include:secure-mailgate.com include:spf.protection.outlook.com ~all - For Hosted Exchange without Secure-Mailgate:
v=spf1 include:hex2013.com ~all
The components explained
| Component | Meaning |
|---|---|
v=spf1 | Protocol version identifier (must appear at the very start of the string) |
a mx | Authorized hosts: permits outgoing delivery from your domain’s A and MX records |
include:secure-mailgate.com | Authorizes dogado’s central mail gateways (v=spf1 ip4:46.243.95.179 ip4:46.243.95.180) |
~all | Softfail: unauthorized servers are marked as suspicious, but messages are generally accepted during delivery checks |
Verify the result
Once saved, audit your domain using the free MXAudit scanner to confirm valid DNS syntax and ensure your lookup count stays within standard limits.
You can also check your terminal to verify that only one v=spf1 record returns:
dig TXT example.com +short | grep spf1
Common mistakes
Publishing two SPF records. Creating a second TXT record while leaving an old SPF entry intact triggers a permerror. Always combine all necessary sending mechanisms (include statements) into a single v=spf1 string.
Confusing panel or service requirements. Ensure you select the correct include mechanism for your exact mail platform (include:secure-mailgate.com for web hosting, or the appropriate M365/Exchange include).
Switching to -all too early. Enforcing -all right away without DMARC monitoring can break legitimate forwarded emails.
Further reading
- dogado Help: Adding an SPF record (oneHome) (retrieved: July 17, 2026)
- dogado Help: Creating an SPF record (CloudPit) (retrieved: July 17, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
