SPF Setup for SendGrid, Mailgun & Amazon SES

Configure SPF for popular transactional email services without breaking your setup.

Published: 2026-01-21 | Updated: 2026-01-21 | Read time: 5 min

Key Takeaways

When You Need This Guide

If you're using transactional email services like SendGrid, Mailgun, or Amazon SES alongside your regular email (Google Workspace, Microsoft 365), you need to include them in your SPF record. Common scenarios:

The Goal

Create a single SPF record that authorizes ALL services that send email for your domain.

SendGrid SPF Setup

SendGrid Include Value

``dns include:sendgrid.net `

SendGrid Only

`dns v=spf1 include:sendgrid.net -all `

SendGrid + Google Workspace

`dns v=spf1 include:_spf.google.com include:sendgrid.net -all `

SendGrid + Microsoft 365

`dns v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all ``

Important Notes

Mailgun SPF Setup

Mailgun Include Value

``dns include:mailgun.org `

Mailgun Only

`dns v=spf1 include:mailgun.org -all `

Mailgun + Google Workspace

`dns v=spf1 include:_spf.google.com include:mailgun.org -all `

Mailgun + Microsoft 365

`dns v=spf1 include:spf.protection.outlook.com include:mailgun.org -all `

EU Region

If you're using Mailgun's EU region, the include is the same (mailgun.org`), but verify in your Mailgun dashboard under Domain Settings → DNS Records.

Amazon SES SPF Setup

Amazon SES Include Value

``dns include:amazonses.com `

Amazon SES Only

`dns v=spf1 include:amazonses.com -all `

Amazon SES + Google Workspace

`dns v=spf1 include:_spf.google.com include:amazonses.com -all `

Amazon SES + Microsoft 365

`dns v=spf1 include:spf.protection.outlook.com include:amazonses.com -all `

Region-Specific Setup

Amazon SES operates in multiple regions. The SPF include (amazonses.com`) covers all regions, but you should also: 1. Verify your domain in the SES console 2. Set up DKIM (Easy DKIM is recommended) 3. Configure a custom MAIL FROM domain if needed

Combining Multiple Services

Example: Google Workspace + SendGrid + Mailgun

``dns v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all `

Example: Microsoft 365 + All Three Services

`dns v=spf1 include:spf.protection.outlook.com include:sendgrid.net include:mailgun.org include:amazonses.com -all `

DNS Lookup Limit

⚠️ SPF has a 10 DNS lookup limit. Each include:` counts as 1+ lookups. | Service | Approx. Lookups | |---------|-----------------| | Google Workspace | 2-3 | | Microsoft 365 | 1-2 | | SendGrid | 1 | | Mailgun | 1-2 | | Amazon SES | 1 | If you exceed 10 lookups, SPF fails. Solutions:

Verifying Your Setup

1. Check with MailRisk

Scan your domain after making changes. Verify:

2. Send Test Emails

Send from each service and check headers for spf=pass.

3. Check Lookup Count

Use a tool like MXToolbox to verify you're under 10 lookups: 1. Go to mxtoolbox.com/spf.aspx 2. Enter your domain 3. Check "Queries" count

4. Monitor DMARC Reports

After setup, your DMARC reports will show SPF results from all services. Watch for unexpected failures.

Transactional Email SPF FAQ

Do I need DKIM too?

Yes. SPF alone isn't enough for good deliverability. Each service should have DKIM configured for proper DMARC alignment.

What if I switch email services?

Update your SPF record: 1. Add the new service's include 2. Verify emails work 3. Remove the old service's include

Can I use IP addresses instead of includes?

Yes, but it's not recommended for cloud services whose IPs change. Use includes for services like SendGrid, Mailgun, and SES.

What about subdomains?

SPF doesn't inherit to subdomains. If you send from mail.yourdomain.com, it needs its own SPF record.

I'm hitting the 10 lookup limit. What do I do?

Options: 1. Remove services you no longer use 2. Use an SPF flattening service 3. Move some sending to subdomains with separate SPF records