Last updated: July 2026
In short: After this guide your domain publishes a correct SPF record. Receiving mail servers can then tell which servers are allowed to send in your name — and sort out forged senders.
Prerequisites
- A domain in the united-domains portfolio
- Clarity about whether your mail runs through the united-domains mail system or your own servers
What is SPF?
SPF (Sender Policy Framework) is a TXT record in your domain’s DNS. It lists which mail servers are allowed to send email with your domain as the sender. Receiving servers look up the record on every incoming message and check whether the delivering server is on the list. Without SPF, any server can send mail in your name — and your legitimate mail lands in spam faster, because large receivers like Gmail now simply expect SPF.
For context: SPF alone is not complete protection. Only together with DKIM and DMARC does it become a solid foundation. But SPF is the easiest entry point.
The starting point at united-domains
united-domains makes it the most convenient of all: in the domain management, under Email security, there’s a real SPF switch. One click, and the TXT entry is placed in the united-domains DNS immediately. For newly registered domains, SPF is even active automatically.
The catch is in the fine print: the switch only fits if your email traffic runs through the united-domains mail system. If you use your own or third-party mail servers, united-domains itself warns of “undesired effects” — then you need the manual path (step 4).
Step-by-step guide
1. Check whether SPF is already active
Especially at united-domains it’s worth checking beforehand — new domains have SPF on already:
dig TXT example.com +short | grep spf1
If a record with v=spf1 comes back, your domain already publishes SPF. Alternatively, drop your domain into the free MXAudit scanner — it checks the record for syntax and lookup limits at the same time.
2. Open Email security
Start at united-domains.de, click the user icon at the top right and log in. Click the email symbol next to your domain, then under Email click Email security.
3. Activate SPF
Further down you’ll find the Sender Policy Framework (SPF) status section. Click Activate SPF — the TXT entry is placed in the DNS immediately. That’s it, if your mail runs through united-domains.
4. Your own or external mail servers? The manual path
If you send via your own servers but want to additionally authorize sending via the united-domains mail servers, united-domains documents this entry:
v=spf1 include:_smtp.udag.de -all
The include points to a single IPv4 network (62.146.106.0/24) and costs exactly one DNS lookup. In practice you combine it with your other sending sources — all in one record, for example:
v=spf1 include:_smtp.udag.de include:spf.newsletter-dienst.de ~all
There may be only one SPF record per domain. Two TXT entries with v=spf1 result in a permerror — that’s worse than no SPF at all.
5. Wait until the change is live
The entry lands in the united-domains DNS immediately; due to caching it can still take a few hours until every server worldwide sees the new record.
The components in detail
| Component | Meaning |
|---|---|
v=spf1 | version identifier, always at the start |
include:_smtp.udag.de | allows the united-domains mail servers (one IPv4 /24 network, 1 lookup) |
-all | hardfail: non-listed servers are rejected |
~all | softfail: the milder variant — sensible while you’re still sorting out sending paths |
Verify the result
Check your configuration with the free MXAudit scanner — it shows immediately whether your SPF record is syntactically correct and how many DNS lookups it consumes (the limit is 10).
Or directly in the terminal:
dig TXT example.com +short | grep spf1
The output must contain exactly one record with v=spf1.
Common mistakes
SPF switch on, but mail runs elsewhere. The toggle authorizes the united-domains mail system. If you send via your own or third-party servers, united-domains itself warns of undesired effects — your mail can then be rejected. In that case: switch off, manual record with your real sources.
Two SPF records. An activated switch plus a manually created TXT entry with v=spf1 results in two records — permerror. Decide on one path.
Forgetting that new domains already have SPF. united-domains activates SPF automatically on new registrations. Adding your own record unaware produces the double-record error from above. Check first (step 1), then change.
+all at the end. A +all allows any server to send and makes the whole record useless — don’t copy it.
Forwarding fails. If a recipient auto-forwards your mail, SPF often fails at the final recipient — the forwarding server isn’t in your record. That’s a design weakness of SPF, not a configuration error; DKIM and DMARC catch this case.
Further reading
- united-domains help: How do I activate SPF for my domain? (German) (retrieved: July 10, 2026)
- united-domains glossary: SPF record (German) (retrieved: July 10, 2026)
- RFC 7208 — Sender Policy Framework (SPF)
