Last updated: July 2026

In short: After this guide your domain has a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.

Prerequisites

  • An IONOS contract with at least one domain
  • Access to your IONOS account (login.ionos.de)

What is SPF?

SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — an open door for phishing. A missing record also lands your mail in spam faster: Gmail and other large receivers now simply expect SPF.

For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.

The starting point at IONOS

The good news first: IONOS SPF is active by default for every domain hosted at IONOS. If your domain and mailboxes are with IONOS, the record usually already exists — IONOS maintains it as a predefined entry. So your job is mostly just to check that it’s really there. You need to act if the record is missing, if your DNS zone is with another provider, or if additional services should send in your name.

Step-by-step guide

1. Check whether SPF is already active

Fastest via the terminal:

dig TXT example.com +short | grep spf1

If a record with v=spf1 comes back, SPF is active. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.

In the IONOS account you’ll see the entry in your domain’s DNS overview with the service note SPF.

2. Open DNS management

Sign in at login.ionos.de and click MenuDomains & SSL in your account’s title bar. In the domain overview, click the three dots next to your domain → DNS.

3. Activate IONOS SPF (if the record is missing)

Click Add record and choose IONOS SPF (TXT) — then Save.

Important: Really choose IONOS SPF (TXT), not SPF (TXT). The IONOS SPF entry is predefined and maintained by IONOS; with the generic SPF entry you have to write and keep the value up to date yourself.

Handy: if an SPF record from another email service already exists for the domain, IONOS automatically merges it with the IONOS servers when you activate — so the two are combined rather than blocking each other.

4. Domain with a different DNS provider? (external DNS)

If you use IONOS mailboxes but manage your DNS zone elsewhere (e.g. at a pure DNS host), you create a TXT record there yourself with exactly this value:

v=spf1 include:_spf-eu.ionos.com ~all

5. Add additional senders (if needed)

If you also send via other services — newsletter tool, CRM, shop system — their servers must be in the record too. You’ll find the required include value in that service’s docs (search for “SPF”). Edit the existing TXT record and add the new include before the ~all:

v=spf1 include:_spf-eu.ionos.com include:spf.newsletter-dienst.de ~all

Important: There may be only one SPF record per domain. Two TXT records with v=spf1 result in a permerror — receiving servers then ignore SPF entirely. That’s worse than no SPF at all.

6. Wait until the change is live

IONOS applies DNS changes typically within 15 to 60 minutes. Due to DNS caching it can take a few hours until every server worldwide sees the new record.

The components in detail

ComponentMeaning
v=spf1version identifier, always at the start
include:_spf-eu.ionos.comallows all IONOS mail servers (IPv4 and IPv6 ranges); costs exactly one DNS lookup
~allsoftfail: all other servers are treated as suspicious, but mail is usually still accepted

Instead of ~all you can use -all (hardfail) — non-listed servers are then hard-rejected. Only do that once you’re sure all your sending paths are in the record. Otherwise you’ll lose legitimate mail.

Verify the result

Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).

Or directly in the terminal:

dig TXT example.com +short | grep spf1

The output must contain exactly one record with v=spf1.

Common mistakes

Two SPF records. Two TXT entries with v=spf1 cause a permerror. All include statements belong in a single record.

Outdated includes from old guides. Guides with include:_spf.kundenserver.de or include:_spf.perfora.net — the old 1&1 includes — still circulate. They do still exist, but IONOS currently recommends include:_spf-eu.ionos.com for Europe; that include also covers the IPv6 ranges the legacy entries lack.

Chose SPF (TXT) instead of IONOS SPF (TXT). Then you get an empty TXT form instead of the IONOS-maintained entry — and have to track every change to IONOS’s infrastructure yourself.

Exceeded the DNS lookup limit. SPF allows a maximum of 10 DNS lookups per check. Every include:, a, mx, exists:, and redirect= counts — nested ones too. The IONOS include costs one lookup; if you add many services, you hit the limit faster than you’d think. MXAudit counts the lookups for you.

+all at the end. A +all allows any server to send and makes the whole record useless. Still shows up in some old forum posts — don’t copy it.

Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.

Further reading