Last updated: July 2026
In short: After this guide your domain publishes a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.
Prerequisites
- A Strato package with at least one domain
- Access to the Strato customer login
What is SPF?
SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — and your legitimate mail lands in spam faster, because large receivers like Gmail now simply expect SPF.
For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.
The starting point at Strato
Strato handles SPF differently from many providers: in the DNS settings there are predefined SPF rules that you activate with a click — the most important one is called Standard STRATO Mailserver. Alternatively you can create a custom TXT rule.
A word on Strato’s documentation, because it’s confusing here: the DNS FAQ says that in most cases the setting “Keine STRATO SPF-Regel” (no STRATO SPF rule) is enough — while Strato’s own FAQ on delivery problems recommends creating exactly such an SPF record (e.g. “Standard STRATO Mailserver”) when mail lands in spam. Our recommendation is clear: publish the record. A missing SPF record is a delivery risk today, not a normal state.
Step-by-step guide
1. Check whether SPF is already active
Fastest via the terminal:
dig TXT example.com +short | grep spf1
If a record with v=spf1 comes back, your domain already publishes SPF. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.
2. Open DNS settings
Sign in to the Strato customer login and choose Domains → Domainverwaltung (domain management). In the domain overview, click the gear icon next to your domain and open the DNS tab.
3. Activate the predefined SPF rule
In the SPF settings, choose the predefined rule Standard STRATO Mailserver. This authorizes the Strato mail servers — the right choice as long as you send exclusively via Strato (webmail or IMAP/SMTP mailboxes).
The Fail and Softfail options control how strictly non-authorized servers are treated; Strato recommends Fail when using an alternative mail server with your own MX record.
4. Own nameservers or external DNS zone?
If you’ve set your own nameservers but still use Strato’s shared-hosting mail (MX points to Strato), you have to maintain the SPF record yourself. Strato documents exactly this value:
v=spf1 redirect=_spf.strato.com
The redirect= means your domain fully adopts the SPF policy of _spf.strato.com — including its strict -all (hardfail) at the end. The reference costs exactly one DNS lookup; behind it is a flat list of Strato’s IPv4 and IPv6 ranges.
5. Add additional senders (if needed)
If you also send via other services — newsletter tool, CRM, shop system — the redirect= construct no longer fits: a redirect delegates the entire policy and can’t be combined with further sources. In that case switch to the include form and add your services:
v=spf1 include:_spf.strato.com include:spf.newsletter-dienst.de ~all
Important: There may be only one SPF record per domain. Two TXT records with v=spf1 result in a permerror — receiving servers then ignore SPF entirely. That’s worse than no SPF at all.
6. Wait until the change is live
DNS changes take time: depending on TTL and caching it can take a few hours until every server worldwide sees the new record.
The components in detail
| Component | Meaning |
|---|---|
v=spf1 | version identifier, always at the start |
redirect=_spf.strato.com | adopts Strato’s entire SPF policy (IPv4 and IPv6 ranges, ends with -all) |
include:_spf.strato.com | allows the Strato servers, but can be combined with further sources and your own ~all/-all |
Verify the result
Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).
Or directly in the terminal:
dig TXT example.com +short | grep spf1
The output must contain exactly one record with v=spf1.
Common mistakes
Two SPF records. Two TXT entries with v=spf1 lead to permerror. All sources belong in a single record.
redirect= combined with other mechanisms. A redirect= is only evaluated if no mechanism matched before it. If a ~all or -all is in the same record, that always takes effect first — the redirect is then dead weight. Either redirect= alone or include: with your own all ending.
Full hostname in the prefix field. Strato automatically appends the domain name to the value in the “Präfix” (prefix) field. If you enter example.com there, you get example.com.example.com — the record lands in the wrong place. Only enter the part before the domain; for the main domain’s SPF record, leave the field empty.
+all at the end. A +all allows any server to send and makes the whole record useless. Still shows up in some old forum posts — don’t copy it.
Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.
Further reading
- Strato FAQ: Managing DNS entries at STRATO (German; retrieved: July 10, 2026)
- Strato FAQ: Sent emails land in the spam folder (German; retrieved: July 10, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
