Last updated: July 2026
In short: After this guide your domain at OVHcloud publishes a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.
Prerequisites
- A domain whose DNS zone is hosted at OVHcloud (the domain must use the OVHcloud DNS servers)
- Access to the OVHcloud Control Panel
- An OVHcloud email offer (MX Plan, Email Pro, Exchange) or an external sending service
What is SPF?
SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — and your legitimate mail lands in spam faster, because large receivers like Gmail now simply expect SPF.
OVHcloud describes the qualifier at the end of the record precisely: it “will recommend to the server receiving the emails a way to react to a message considered illegitimate”, i.e. from a source that is not listed.
For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.
The starting point at OVHcloud
The prerequisite is clear from OVHcloud’s own documentation: “The domain name concerned must use the OVHcloud configuration” — i.e. the OVHcloud DNS servers. If your domain resolves through nameservers elsewhere, you maintain SPF in that provider’s interface instead.
OVHcloud publishes one shared SPF value that covers all of its standard email offers — MX Plan (standalone or included in an OVHcloud web hosting plan), E-mail Pro, and Hosted Exchange:
v=spf1 include:mx.ovh.com ~all
The DNS-zone assistant even offers a one-click option to add exactly this record.
Step-by-step guide
1. Check whether SPF is already active
Fastest via the terminal:
dig TXT example.com +short | grep spf1
If a record with v=spf1 comes back, your domain already publishes SPF. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.
2. Open the DNS zone
Log in to the OVHcloud Control Panel and switch to Web Cloud in the top navigation bar. In the Domain names section, select the domain concerned and click the DNS zone tab. The table shows one line per DNS record.
3. Add the OVHcloud SPF record (OVH email only)
Click Add an entry in the right-hand menu. The assistant offers several ways to add an SPF record. For users who only send through OVHcloud email, choose Add an OVHcloud SPF record: pick the SPF record type and click the button Use the SPF for OVHcloud web hosting, then Confirm. This publishes exactly:
v=spf1 include:mx.ovh.com ~all
The include:mx.ovh.com lets OVHcloud manage the underlying IP ranges for you; the closing ~all is a softfail.
4. Add additional senders (if needed)
If you also send via other services — newsletter tool, CRM, shop system — the OVHcloud one-click record no longer fits on its own. Instead choose Add a TXT record in the assistant and enter the full string yourself, combining the OVHcloud include with your other sources:
v=spf1 include:mx.ovh.com include:spf.newsletter-dienst.de ~all
A second example, sending through OVHcloud plus Google Workspace:
v=spf1 include:mx.ovh.com include:_spf.google.com ~all
Important: There may be only one SPF record per domain. Two TXT records with v=spf1 result in a permerror — receiving servers then ignore SPF entirely. That’s worse than no SPF at all.
5. Wait until the change is live
OVHcloud states it plainly: “It can take between 4 and 24 hours until the configuration is fully effectual.” Don’t judge the result in the first few minutes.
The components in detail
| Component | Meaning |
|---|---|
v=spf1 | version identifier, always at the start |
include:mx.ovh.com | authorizes OVHcloud’s outgoing mail servers (MX Plan, Email Pro, Exchange); OVHcloud maintains the IPs behind it |
~all | softfail — unlisted servers are accepted but marked; -all (hardfail) is stricter |
Verify the result
Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).
Or directly in the terminal:
dig TXT example.com +short | grep spf1
The output must contain exactly one record with v=spf1.
Common mistakes
Two SPF records. Two TXT entries with v=spf1 lead to permerror. All sources belong in a single record.
Domain not on OVHcloud DNS. The SPF assistant only writes into the OVHcloud DNS zone. If your domain resolves through external nameservers, the record has to go into that provider’s zone instead.
One-click record plus extra senders. The OVHcloud one-click SPF publishes only include:mx.ovh.com ~all. If you also send through a newsletter or CRM service, switch to a custom TXT record and add the further include: sources — otherwise those mails fail SPF.
+all at the end. A +all allows any server to send and makes the whole record useless. Never copy it from old forum posts.
Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.
Further reading
- OVHcloud: How to improve email security with an SPF record (retrieved: July 10, 2026)
- OVHcloud: Editing an OVHcloud DNS zone (retrieved: July 10, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
