How to Add an SPF Record in DigitalOcean
Step-by-step guide to adding SPF records in DigitalOcean DNS. Learn how to create, edit, and verify SPF TXT records in the Networking panel.
DigitalOcean is a popular cloud hosting platform, especially among developers and startups running their own infrastructure. If you manage your domain's DNS through DigitalOcean's Networking panel, adding an SPF record is a straightforward process -- but there are a few details specific to DigitalOcean's interface that are worth knowing before you start.
This guide walks you through adding, editing, and verifying an SPF record in DigitalOcean DNS, with examples for common email setups.
Why SPF Matters for Domains on DigitalOcean
When you host applications on DigitalOcean, your domain likely sends email -- whether that's transactional messages from your app, team email through Google Workspace or Microsoft 365, or marketing campaigns through a service like SendGrid or Mailchimp. Without an SPF record, receiving mail servers have no way to verify that those emails are legitimately coming from your domain. The result is often spam folders or outright rejection.
An SPF record is a simple DNS TXT record that lists every server and service authorized to send email on behalf of your domain, as defined in RFC 7208. It's the first layer of email authentication -- and the easiest to set up.
Step-by-Step: Adding an SPF Record in DigitalOcean
Log in to the DigitalOcean Control Panel
Go to cloud.digitalocean.com and sign in to your account.
Navigate to the Networking section
In the left sidebar, click Networking. Then click on the Domains tab. You'll see a list of domains you've added to DigitalOcean DNS (see DigitalOcean's DNS documentation for more details).
Select your domain
Click on the domain you want to configure. This opens the DNS records management page for that domain.
Check for existing SPF records
Scroll through the list of records and look for any TXT record with a value starting with v=spf1. If one exists, you'll need to edit it rather than creating a new one -- a domain must only have one SPF record.
Add a new TXT record
At the top of the page, select TXT from the record type options. In the Hostname field, enter @ (this represents your root domain). In the Value field, paste your SPF record -- for example: v=spf1 include:_spf.google.com -all. Leave the TTL at the default of 3600 seconds. Click Create Record.
Verify the record is live
DNS changes in DigitalOcean typically propagate within a few minutes. Check your record at SPF Record Check to confirm it's published and valid.
A Note on the Hostname Field
In DigitalOcean's DNS interface, the Hostname field determines where the record is applied. For your root domain's SPF record, enter @. DigitalOcean will display this as your full domain name in the records list. Don't enter the full domain name manually -- just use @. If you enter a subdomain name (like mail), the SPF record will only apply to that subdomain, not your main domain.
SPF Record Examples for DigitalOcean
Here are ready-to-use SPF records for common email configurations. Paste these directly into the Value field.
Google Workspace Only
Use the _spf.google.com include for Google Workspace:
v=spf1 include:_spf.google.com -all
Microsoft 365 Only
Use the spf.protection.outlook.com include for Microsoft 365:
v=spf1 include:spf.protection.outlook.com -all
Google Workspace + SendGrid
v=spf1 include:_spf.google.com include:sendgrid.net -all
Microsoft 365 + Mailchimp
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all
App on DigitalOcean Sending via SendGrid + Google Workspace for Team Email
v=spf1 include:_spf.google.com include:sendgrid.net -all
| Setup | SPF Record | Est. Lookups |
|---|---|---|
| Google Workspace | v=spf1 include:_spf.google.com -all | ~3 |
| Microsoft 365 | v=spf1 include:spf.protection.outlook.com -all | ~2 |
| Google + SendGrid | v=spf1 include:_spf.google.com include:sendgrid.net -all | ~4 |
| M365 + Mailchimp | v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all | ~4 |
| Google + SendGrid + Mailchimp | v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all | ~6 |
SPF records are limited to 10 DNS lookups. Each include adds at least one lookup, and nested includes add more. Use SPF Record Check to count your lookups and make sure you're within the limit.
Monitor your email authentication
After setting up SPF in DigitalOcean, make sure it keeps working. Get daily checks on SPF, DKIM, and DMARC.
Common DigitalOcean SPF Mistakes
Creating a Second SPF Record
The most common mistake with any DNS provider. If you already have an SPF record and you add a second one instead of editing the first, you'll create a permerror that breaks SPF entirely. Always check for an existing SPF record before adding a new one.
Using the Full Domain Instead of @
In the Hostname field, just enter @. If you type your full domain name (like example.com), DigitalOcean may interpret it as a subdomain and create the record at example.com.example.com -- which obviously won't work.
Forgetting to Update SPF When Changing Email Services
If you switch from one transactional email provider to another (say, Mailgun to SendGrid), remember to update your SPF record. Remove the old include and add the new one. Leaving stale includes wastes DNS lookups.
Sending From a Droplet's IP Without Authorizing It
If your application on a DigitalOcean Droplet sends email directly (without using a third-party service), you need to include that Droplet's IP address in your SPF record -- for example, v=spf1 ip4:123.45.67.89 include:_spf.google.com -all. However, sending email directly from a server IP is generally discouraged. Using a dedicated email delivery service gives you better deliverability and reputation management.
Editing an Existing SPF Record in DigitalOcean
Find your SPF record
Go to Networking > Domains and click on your domain. Look through the TXT records for the one starting with v=spf1.
Edit the record
Click the More menu (three dots) next to the record and select Edit. Update the Value field with your new SPF record. Make sure v=spf1 stays at the beginning and your all mechanism stays at the end.
Save and verify
Click Save Record. Wait a couple of minutes, then verify the updated record at SPF Record Check.
Back up before editing
Copy your current SPF record value before making changes. If something goes wrong with email delivery after the update, you can quickly revert.
Verifying Your SPF Record
After creating or updating your SPF record in DigitalOcean, verify that it's correct and live.
- SPF Record Check -- Go to spfrecordcheck.com and enter your domain. It validates syntax, counts DNS lookups, and flags errors.
- Send a test email -- Send a message from each service in your SPF record. Check the email headers on the receiving side for
spf=passin theAuthentication-Resultsheader. - Command line -- Run
dig TXT yourdomain.com +shortornslookup -type=TXT yourdomain.comto see the raw TXT records published for your domain.
Complete Your Email Authentication
SPF is just the first piece. For full email authentication, you need all three protocols working together:
- DKIM adds a cryptographic signature to outgoing emails, proving they haven't been tampered with. Use DKIM Creator to generate your DKIM keys and add the TXT records in DigitalOcean.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.
Both DKIM and DMARC records are added the same way as SPF -- as TXT records in DigitalOcean's DNS management panel.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring