Last updated: July 2026
In short: After this guide your domain publishes a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.
This guide applies to Netcup web hosting. On vServers and root servers you run your own mail server — there you write the SPF record to match your own infrastructure.
Prerequisites
- A Netcup web hosting package with at least one domain
- Access to the Customer Control Panel (CCP)
What is SPF?
SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — and your legitimate mail lands in spam faster, because large receivers like Gmail now simply expect SPF.
For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.
The starting point at Netcup
In the CCP there is no dedicated SPF record type — SPF is a regular TXT record on the host @. For web hosting, Netcup documents exactly this value:
v=spf1 mx a include:_spf.webhosting.systems ~all
According to Netcup the record allows the server behind your A record, the servers behind your MX record, and the Netcup mail relay. Note Netcup’s own caveat: the record only works as intended if the default DNS settings are used and email is sent exclusively via the product’s mail servers — sending via the web server (e.g. phpmail or sendmail) or via external mail servers is explicitly not covered.
Step-by-step guide
1. Check whether SPF is already active
Fastest via the terminal:
dig TXT example.com +short | grep spf1
If a record with v=spf1 comes back, your domain already publishes SPF. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.
2. Open DNS settings in the CCP
Sign in to the CCP and open the Domains menu item. Click the magnifying glass icon next to your domain and switch to the DNS tab.
3. Create (or edit) the TXT entry
There may be only one SPF entry per domain. If a TXT record with v=spf1 already exists, edit it; don’t create a second one.
If the entry is missing, create it like this:
| Field | Value |
|---|---|
| Host | @ |
| Type | TXT |
| Destination | v=spf1 mx a include:_spf.webhosting.systems ~all |
4. Add additional senders (if needed)
If you also send via other services — newsletter tool, CRM, shop system — their servers must be in the record too. You’ll find the required include value in that service’s docs (search for “SPF”). Edit the existing entry and add the include before the ~all:
v=spf1 mx a include:_spf.webhosting.systems include:spf.newsletter-dienst.de ~all
Keep an eye on the lookup budget while doing so — more on that shortly.
5. Wait until the change is live
DNS changes take time: depending on TTL and caching it can take a few hours until every server worldwide sees the new record.
The components in detail
| Component | Meaning |
|---|---|
v=spf1 | version identifier, always at the start |
mx | allows the servers behind your domain’s MX record |
a | allows the server behind your domain’s A/AAAA record |
include:_spf.webhosting.systems | allows the Netcup infrastructure (nests IPv4 and IPv6 lists) |
~all | softfail: all other servers are treated as suspicious, but mail is usually still accepted |
The lookup budget: SPF allows a maximum of 10 DNS lookups per check. The Netcup default record is unusually expensive here: mx (1) + a (1) + include:_spf.webhosting.systems (1) — and this include internally nests two more includes for IPv4 and IPv6 (1 each). That’s 5 of 10 lookups before you’ve added a single external service. Two or three newsletter or CRM includes later it gets tight; MXAudit counts along for you.
Verify the result
Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes.
Or directly in the terminal:
dig TXT example.com +short | grep spf1
The output must contain exactly one record with v=spf1.
Common mistakes
PHP mail() and web-server sending. WordPress forms and the like often send directly via the web server — according to Netcup exactly this path is not covered by the SPF record and leads to delivery problems. Use SMTP via the Netcup mail servers instead (e.g. via an SMTP plugin in your CMS).
Two SPF records. Two TXT entries with v=spf1 lead to permerror — receiving servers then ignore SPF entirely. All sources belong in a single record.
Exceeded the DNS lookup limit. The Netcup default record already consumes 5 of the 10 allowed lookups (see above). Anyone adding many services hits the limit faster than at other hosts.
+all at the end. A +all allows any server to send and makes the whole record useless. Still shows up in some old forum posts — don’t copy it.
Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.
Further reading
- Netcup Helpcenter: DNS Records (Web Hosting) (retrieved: July 10, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
