Bison Infosolutions Knowledgebase
Google Workspace - Professional Emails
Protect your Lenovo Server
Contact WhatsApp

SPF Configuration for Google Workspace, Zoho Mail, and PHP Website Forms

📅 22 Feb 2026 📂 General 👁 1 views

This article provides a practical technical reference for configuring Sender Policy Framework (SPF) when email is sent from multiple systems, including:

  • Google Workspace

  • Zoho Mail

  • PHP-based website forms (SMTP or mail function)

The document targets IT administrators, system engineers, and support professionals responsible for email deliverability, anti-spoofing controls, and DNS configuration.

Product / System Overview

Sender Policy Framework (SPF)

SPF is a DNS-based email authentication mechanism that:

  • Validates authorized sending servers

  • Helps prevent email spoofing

  • Improves deliverability

  • Supports DMARC enforcement

SPF records are stored as TXT records in DNS.

Technical Explanation

How SPF Works

When an email is received:

  1. Receiving server extracts sender domain

  2. Queries DNS for SPF TXT record

  3. Compares sending server IP against allowed sources

  4. Returns result: PASS / FAIL / SOFTFAIL / NEUTRAL

SPF Record Structure

Example:

v=spf1 include:_spf.google.com include:zcspf.zoho.in ~all
MechanismPurpose
v=spf1SPF version identifier
include:Authorizes third-party sender
ip4: / ip6:Authorizes specific IP
~allSoftFail (non-authorized senders discouraged)
-allFail (strict rejection)

Architecture Considerations

SPF validates the sending server, NOT the application.

Mail Flow Examples:

SMTP-based sending

Website → Google SMTP → Recipient

mail() function

Website → Hosting Server → Recipient

SPF must authorize the actual sending infrastructure.

Use Cases & Environments

Common deployment scenarios:

EnvironmentSPF Requirement
Google Workspace onlyInclude Google SPF
Zoho Mail onlyInclude Zoho SPF
Google + ZohoInclude both
PHP via SMTPInclude SMTP provider
PHP via mail()Add server IP

Implementation Steps

Step 1 — Identify Sending Sources

Inventory all outbound email systems:

✔ Google Workspace
✔ Zoho Mail
✔ Website SMTP
✔ Hosting mail server
✔ Third-party services (if any)

Step 2 — Construct SPF Record

Scenario A — Google Workspace + Zoho

v=spf1 include:_spf.google.com include:zcspf.zoho.in ~all

Scenario B — Google + Zoho + PHP mail()

v=spf1 ip4:SERVER_IP include:_spf.google.com include:zcspf.zoho.in ~all

Example:

v=spf1 ip4:103.21.58.10 include:_spf.google.com include:zcspf.zoho.in ~all

Scenario C — Strict Enforcement

v=spf1 include:_spf.google.com include:zcspf.zoho.in -all

Use only after verification.

Step 3 — DNS Configuration

Add TXT record in DNS:

FieldValue
TypeTXT
Host@
ValueSPF Record

Step 4 — Verify SPF

Use tools:

✔ Google Admin Toolbox
✔ MXToolbox SPF Checker
✔ dig / nslookup

Example:

nslookup -type=txt yourdomain.com

Step 5 — Validate Mail Headers

Inspect received message source:

Look for:

Received-SPF: pass

And sending host:

Received: from mail-xxx.google.com

Troubleshooting Procedures

Check SPF Resolution

dig txt yourdomain.com

SPF Syntax Validation

Common issues:

  • Missing v=spf1

  • Multiple SPF records

  • Exceeding DNS lookup limits

  • Incorrect include domain

Common Errors & Fixes

Error: Multiple SPF Records

Symptom

PermError: Multiple SPF records

Root Cause

Multiple TXT SPF entries.

Fix

Merge mechanisms into single record.

Error: SPF Lookup Limit Exceeded

Symptom

PermError: Too many DNS lookups

Root Cause

More than 10 includes / redirects.

Fix

Flatten SPF or remove redundant includes.

Error: SPF Fail from Website

Symptom

Emails marked as spoofed/spam.

Root Cause

Hosting server IP not authorized.

Fix

Add:

ip4:SERVER_IP

Error: SPF SoftFail

Symptom

Received-SPF: softfail

Root Cause

Sender not listed; ~all policy.

Fix

Authorize sender or move to -all.

Security Considerations

Risks of Incorrect SPF

  • Email spoofing vulnerability

  • DMARC failures

  • Spam classification

  • BIMI incompatibility

SPF Limitations

SPF:

✔ Validates envelope sender
✔ Does NOT prevent header spoofing
✔ Requires DMARC for full protection

Best Practices

✔ Maintain single SPF record
✔ Use includes instead of raw IP when possible
✔ Avoid excessive mechanisms
✔ Monitor SPF failures
✔ Align SPF with DKIM + DMARC

Recommended Production SPF

Typical modern configuration:

v=spf1 include:_spf.google.com include:zcspf.zoho.in -all

After validation.

Conclusion

SPF configuration must reflect actual mail flow, not assumptions about applications or platforms. Accurate sender identification, controlled DNS records, and periodic validation are essential for deliverability and anti-spoofing protection.

SPF alone is incomplete — combine with:

✔ DKIM
✔ DMARC
✔ TLS

For robust email authentication.


#SPF #EmailAuthentication #DNS #GoogleWorkspace #ZohoMail #EmailSecurity #DMARC #DKIM #SMTP #PHPmail #ITSupport #SysAdmin #MailServer #EmailDeliverability #DNSConfig #SPFRecord #EmailTroubleshooting #AntiSpoofing #CyberSecurity #DomainSecurity #EmailSetup #HostingServer #MailFlow #SPFFail #SPFSoftFail #DNSRecords #TXTRecord #EmailCompliance #SpamPrevention #SPFValidation #DNSLookup #EmailInfrastructure #MailSecurity #SPFConfig #TechnicalKB #ITKnowledgeBase #EmailAdmin #ServerSecurity #EmailProtocols #SPFMechanism #DNSManagement #EmailProtection #MailAuthentication #SPFGuide #EmailErrors #DNSPolicy #EnterpriseEmail #MailSystems #SecurityControls

spf spf record sender policy framework spf configuration spf google workspace spf zoho spf php mail spf smtp spf dns record spf txt record spf include google spf include zoho google workspace spf zoho mail spf php spf setup website email sp
Was this article helpful?
Sponsored
Web Hosting Affiliate Ad
Insurance Affiliate Ad
Insurance Affiliate Ad