Last updated: July 2026

In short: Following this guide creates a valid SPF record for your dogado web hosting (via CloudPit or oneHome). Receiving mail servers can then identify authorized senders and block domain spoofing attempts.

Prerequisites

  • An active web hosting or email plan at dogado
  • Access to your customer panel — depending on your contract, either CloudPit or oneHome

What is SPF?

SPF (Sender Policy Framework) is an email authentication standard published as a TXT record in your domain’s DNS. As dogado summarizes clearly in their official docs: SPF wird verwendet, um Spammer davon abzuhalten, eine E-Mail-Adresse Ihrer Domain als Absender-Adresse zu nutzen (“SPF is used to prevent spammers from using an email address on your domain as their sender address”).

When an external mail server receives a message claiming to originate from your domain, it looks up your SPF record to verify whether the sending IP address is authorized. If the record is missing or incorrect, your legitimate messages risk being marked as spam or rejected.

For context: SPF only protects against forging the technical envelope sender (Return-Path). Only when paired with DKIM and DMARC does your domain achieve complete protection against spoofing.

The starting point at dogado: CloudPit vs. oneHome

Depending on which platform manages your contract, you configure your DNS records using either CloudPit or oneHome. In both panels, you create a TXT record on your root domain.

For standard dogado web hosting, the recommended SPF record is:

v=spf1 a mx include:secure-mailgate.com ~all

The include target secure-mailgate.com resolves behind the scenes to dogado’s central outgoing mail IP ranges (v=spf1 ip4:46.243.95.179 ip4:46.243.95.180).

Important note: The divergence between ~all and -all

When reviewing dogado’s documentation, you will notice an interesting divergence between the guides for their two customer panels:

  • In the CloudPit tutorial, dogado recommends Softfail: v=spf1 a mx include:secure-mailgate.com ~all
  • In the oneHome tutorial, dogado documents Hardfail: v=spf1 a mx include:secure-mailgate.com -all

We strongly recommend starting and operating with ~all (Softfail). Enforcing a hard -all immediately can cause delivery failures when customers or partners forward your emails through automatic forwarders (such as forwarding to a personal Gmail account). Only after monitoring your mail traffic via DMARC and verifying DKIM alignment across all forwarders should you consider transitioning to -all.

Step-by-step guide

1. Check whether an SPF record already exists

Query your domain via terminal to see if an SPF record is currently active:

dig TXT example.com +short | grep spf1

If the command returns an existing string starting with v=spf1, edit that existing record rather than adding a new one. A domain must never publish more than one SPF TXT record.

2. Open DNS management

The navigation path depends on which customer portal you use:

Option A: CloudPit As dogado documents: Melden Sie sich am CloudPit an. (“Log in to CloudPit.”) Then navigate to your domain’s settings: Klicken Sie anschließend auf den Punkt Webhosting und bei der entsprechenden Domain auf Aktionen und DNS-Verwaltung. (“Click on Webhosting, then click Actions and DNS Management for the corresponding domain.”)

Option B: oneHome In the alternative control panel: Zunächst loggen Sie sich ins oneHome ein. (“First log in to oneHome.”) Open the DNS record management area for your domain there.

3. Create or edit the TXT record

Create a new TXT record (or modify the existing entry) using the following parameters:

  • Name / Hostname: Leave this field blank for the root domain (Unter Name (7) fügen nichts ein und lassen das Feld leer.)
  • Value / Text:
    v=spf1 a mx include:secure-mailgate.com ~all
  • TTL: Keep the default setting (Lassen Sie TTL (8) auf den Standardwert von 600.)

Save your changes.

4. Special cases: Microsoft 365 or Hosted Exchange at dogado

If you use Microsoft 365 or Hosted Exchange through dogado instead of the standard web hosting mail service, different include targets apply:

  • For Microsoft 365 without Secure-Mailgate:
    v=spf1 a mx include:spf.protection.outlook.com ~all
  • If your setup transmits email via both standard web hosting and Microsoft 365:
    v=spf1 a mx include:secure-mailgate.com include:spf.protection.outlook.com ~all
  • For Hosted Exchange without Secure-Mailgate:
    v=spf1 include:hex2013.com ~all

The components explained

ComponentMeaning
v=spf1Protocol version identifier (must appear at the very start of the string)
a mxAuthorized hosts: permits outgoing delivery from your domain’s A and MX records
include:secure-mailgate.comAuthorizes dogado’s central mail gateways (v=spf1 ip4:46.243.95.179 ip4:46.243.95.180)
~allSoftfail: unauthorized servers are marked as suspicious, but messages are generally accepted during delivery checks

Verify the result

Once saved, audit your domain using the free MXAudit scanner to confirm valid DNS syntax and ensure your lookup count stays within standard limits.

You can also check your terminal to verify that only one v=spf1 record returns:

dig TXT example.com +short | grep spf1

Common mistakes

Publishing two SPF records. Creating a second TXT record while leaving an old SPF entry intact triggers a permerror. Always combine all necessary sending mechanisms (include statements) into a single v=spf1 string.

Confusing panel or service requirements. Ensure you select the correct include mechanism for your exact mail platform (include:secure-mailgate.com for web hosting, or the appropriate M365/Exchange include).

Switching to -all too early. Enforcing -all right away without DMARC monitoring can break legitimate forwarded emails.

Further reading