Last updated: July 2026

In short: After this guide your domain has a correct SPF record in Gandi’s LiveDNS. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.

Prerequisites

  • A domain at Gandi using Gandi LiveDNS (the default nameservers)
  • Access to your Gandi account (admin.gandi.net)

What is SPF?

SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. Gandi puts it plainly: it “publicly shares which IP addresses are authorized to send email from your domain name.” Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — an open door for phishing. A missing record also lands your mail in spam faster: Gmail and other large receivers now simply expect SPF.

For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.

The starting point at Gandi

Gandi is both a registrar with LiveDNS and a mailbox host (Gandi Mail). If you send mail through Gandi’s mail servers, you publish an SPF record that authorizes them via a single include. Unlike DKIM, SPF is not toggled on automatically — you add the TXT record yourself. Which value you need depends on how you send:

  • Gandi Mail (mailboxes at Gandi) → the mail include
  • Gandi Web Hosting that sends mail (e.g. a contact form) → the web hosting include
  • both → a combined record

Step-by-step guide

1. Check whether SPF is already active

Fastest via the terminal:

dig TXT example.com +short | grep spf1

If a record with v=spf1 comes back, SPF is active. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.

2. Open the DNS records in LiveDNS

Sign in at admin.gandi.net, click Domain in the left navigation menu, and click on the domain name you wish to manage. Open the DNS Records tab.

3. Add the SPF record

Click the green Add button above the table to add a new record. Choose type TXT, set the name to @ (the bare domain), and enter the value that matches your setup.

If you send mail from your domain using Gandi’s mail servers:

v=spf1 include:_mailcust.gandi.net ?all

If you have a site hosted by Gandi Web Hosting that sends email:

v=spf1 include:_spf.gpaas.net ?all

If you use both Gandi Mail and a Gandi-hosted site that sends email, combine them into one record:

v=spf1 include:_mailcust.gandi.net include:_spf.gpaas.net ?all

The web hosting include is only needed “if you plan to send e-mails through your website (via a contact form, for example).” If your site never sends mail, leave it out.

4. Add additional senders (if needed)

If you also send via other services — newsletter tool, CRM, shop system — their servers must be in the record too. You’ll find the required include value in that service’s docs (search for “SPF”). Edit the existing TXT record and add the new include before the ?all:

v=spf1 include:_mailcust.gandi.net include:spf.newsletter-dienst.de ?all

Important: There may be only one SPF record per domain. Two TXT records with v=spf1 result in a permerror — receiving servers then ignore SPF entirely. That’s worse than no SPF at all.

5. Wait until the change is live

In LiveDNS a new record is applied in real time, but due to DNS caching it can take a few hours — Gandi notes it can take up to 72 hours for changes to take effect everywhere.

The components in detail

ComponentMeaning
v=spf1version identifier, always at the start
include:_mailcust.gandi.netallows Gandi’s mail servers
include:_spf.gpaas.netallows Gandi Web Hosting (only if your site sends mail)
?allneutral: other servers are neither endorsed nor rejected

Gandi’s ready-made records end in ?all (neutral). Stricter is ~all (softfail) or -all (hardfail), where non-listed servers are treated as suspicious or hard-rejected. Only tighten to -all once you’re sure all your sending paths are in the record — otherwise you’ll lose legitimate mail.

Verify the result

Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).

Or directly in the terminal:

dig TXT example.com +short | grep spf1

The output must contain exactly one record with v=spf1.

Common mistakes

Two SPF records. Two TXT entries with v=spf1 cause a permerror. All include statements belong in a single record.

Web hosting include without web hosting. include:_spf.gpaas.net only belongs in the record if a Gandi-hosted site actually sends mail. Otherwise leave it out — it’s an unnecessary lookup.

Exceeded the DNS lookup limit. SPF allows a maximum of 10 DNS lookups per check. Every include:, a, mx, exists:, and redirect= counts — nested ones too. MXAudit counts the lookups for you.

+all at the end. A +all allows any server to send and makes the whole record useless. Don’t copy it from old forum posts.

Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.

Further reading