Last updated: July 2026

In short: After this guide your domain publishes a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.

Prerequisites

What is SPF?

SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your domain’s name — and your legitimate mail lands in spam faster, because large receivers like Gmail now simply expect SPF.

For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.

The starting point at Strato

Strato handles SPF differently from many providers: in the DNS settings there are predefined SPF rules that you activate with a click — the most important one is called Standard STRATO Mailserver. Alternatively you can create a custom TXT rule.

A word on Strato’s documentation, because it’s confusing here: the DNS FAQ says that in most cases the setting “Keine STRATO SPF-Regel” (no STRATO SPF rule) is enough — while Strato’s own FAQ on delivery problems recommends creating exactly such an SPF record (e.g. “Standard STRATO Mailserver”) when mail lands in spam. Our recommendation is clear: publish the record. A missing SPF record is a delivery risk today, not a normal state.

Step-by-step guide

1. Check whether SPF is already active

Fastest via the terminal:

dig TXT example.com +short | grep spf1

If a record with v=spf1 comes back, your domain already publishes SPF. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.

2. Open DNS settings

Sign in to the Strato customer login and choose DomainsDomainverwaltung (domain management). In the domain overview, click the gear icon next to your domain and open the DNS tab.

3. Activate the predefined SPF rule

In the SPF settings, choose the predefined rule Standard STRATO Mailserver. This authorizes the Strato mail servers — the right choice as long as you send exclusively via Strato (webmail or IMAP/SMTP mailboxes).

The Fail and Softfail options control how strictly non-authorized servers are treated; Strato recommends Fail when using an alternative mail server with your own MX record.

4. Own nameservers or external DNS zone?

If you’ve set your own nameservers but still use Strato’s shared-hosting mail (MX points to Strato), you have to maintain the SPF record yourself. Strato documents exactly this value:

v=spf1 redirect=_spf.strato.com

The redirect= means your domain fully adopts the SPF policy of _spf.strato.com — including its strict -all (hardfail) at the end. The reference costs exactly one DNS lookup; behind it is a flat list of Strato’s IPv4 and IPv6 ranges.

5. Add additional senders (if needed)

If you also send via other services — newsletter tool, CRM, shop system — the redirect= construct no longer fits: a redirect delegates the entire policy and can’t be combined with further sources. In that case switch to the include form and add your services:

v=spf1 include:_spf.strato.com include:spf.newsletter-dienst.de ~all

Important: There may be only one SPF record per domain. Two TXT records with v=spf1 result in a permerror — receiving servers then ignore SPF entirely. That’s worse than no SPF at all.

6. Wait until the change is live

DNS changes take time: depending on TTL and caching it can take a few hours until every server worldwide sees the new record.

The components in detail

ComponentMeaning
v=spf1version identifier, always at the start
redirect=_spf.strato.comadopts Strato’s entire SPF policy (IPv4 and IPv6 ranges, ends with -all)
include:_spf.strato.comallows the Strato servers, but can be combined with further sources and your own ~all/-all

Verify the result

Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).

Or directly in the terminal:

dig TXT example.com +short | grep spf1

The output must contain exactly one record with v=spf1.

Common mistakes

Two SPF records. Two TXT entries with v=spf1 lead to permerror. All sources belong in a single record.

redirect= combined with other mechanisms. A redirect= is only evaluated if no mechanism matched before it. If a ~all or -all is in the same record, that always takes effect first — the redirect is then dead weight. Either redirect= alone or include: with your own all ending.

Full hostname in the prefix field. Strato automatically appends the domain name to the value in the “Präfix” (prefix) field. If you enter example.com there, you get example.com.example.com — the record lands in the wrong place. Only enter the part before the domain; for the main domain’s SPF record, leave the field empty.

+all at the end. A +all allows any server to send and makes the whole record useless. Still shows up in some old forum posts — don’t copy it.

Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.

Further reading