How to Add an SPF Record on Squarespace

You can do this

Squarespace gives you a full DNS editor, so adding an SPF record is straightforward. The catch is that Squarespace may already have added one for you, and a second record breaks the first.

Check what already exists before you add anything. This is the step almost everyone skips, and it is the one that causes the damage.

Check first, add second

Squarespace auto-applies its own DKIM, SPF and DMARC records to domains it manages. That is helpful, right up until you add your own SPF record on top and end up with two.

Two SPF records is not "extra protection". It is a permanent error condition called a permerror, and receiving mail servers treat the whole thing as broken. Your SPF stops working entirely. It is one of the most common email authentication faults we see.

So before anything else, open your DNS records in Squarespace and look for an existing TXT record starting with v=spf1. If one is there, you edit it. You do not add a second one.

What SPF actually is

SPF is a TXT record on your domain that lists which servers are allowed to send email as you. Inbox providers check it. If mail arrives from somewhere not on the list, it gets treated with suspicion.

Three rules that trip people up:

  • One SPF record per domain. Only one. If you use several senders, they all go in that single record as separate include: mechanisms with one all at the end.
  • Subdomains are not covered by the parent. If you send from mail.yourdomain.com, that subdomain needs its own record.
  • There is a 10-lookup limit. Each include:, a, mx, exists and redirect costs a lookup, and they nest. Go over 10 and you get a permerror. ip4:, ip6: and all cost nothing.

Adding or editing the record in Squarespace

Open your domain settings in Squarespace and go to the DNS records editor. Squarespace supports TXT records and uses @ to mean the root of your domain.

  1. 1.Open the DNS records for your domain in Squarespace.
  2. 2.Look for an existing TXT record whose value starts with v=spf1. If you find one, edit it rather than adding another.
  3. 3.If there is none, add a new record. Type: TXT. Host: @. Value: your SPF string.
  4. 4.Save, then wait. DNS changes are not instant.
  5. 5.Send a test email to an address on another provider and confirm it passes SPF.

Real record values

Use whichever line matches how you actually send email. Do not combine them by adding two records. If you use more than one sender, merge the include: parts into a single line with one all at the end.

Google Workspace
  v=spf1 include:_spf.google.com ~all

Microsoft 365
  v=spf1 include:spf.protection.outlook.com -all

Two senders merged into one record
  v=spf1 include:_spf.google.com include:sendgrid.net ~all

A domain that sends no email at all
  v=spf1 -all

Note on SendGrid: only add include:sendgrid.net when Automated Security is switched OFF. With Automated Security ON, which is the default, SendGrid authenticates through CNAME records and no include is needed. Adding one anyway just burns a lookup. Vendor include values change over time, so confirm yours with the vendor rather than trusting any guide, including this one.

Choosing your ending: ~all or -all

The last part of the record tells receivers how strict to be. ~all is softfail, meaning "probably not authorised". -all is fail, meaning "not authorised, full stop". ?all is neutral and does nothing useful.

The vendors genuinely disagree here, and it is worth saying so. Google recommends ~all for Workspace. Microsoft recommends -all. Neither is wrong.

Our advice: start with ~all while you confirm every legitimate sender is accounted for, then tighten to -all once you are sure. A domain that never sends email should go straight to v=spf1 -all.

Two Squarespace-specific things to know

The character limits differ by record type. Squarespace allows SPF and DKIM records up to 2048 characters, but caps other TXT records at 255. SPF records rarely get anywhere near 2048, so this one is unlikely to bite you here. It does matter for DMARC, which falls under the 255 limit.

Third-party domains connected by nameservers are limited. If your domain is registered elsewhere and connected to Squarespace via nameservers, you can only use A, AAAA, CNAME, MX, SRV and TXT records. TXT is on that list, so SPF is fine.

Where SPF ends

SPF on its own does not tell inboxes what to do when a message fails. That is DMARC's job, and SPF without DMARC leaves most of the value on the table. Once your SPF is clean and passing, add a DMARC record next.

If you want the concepts in plain English first, we have short explainers on SPF and DMARC.

Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Does Squarespace already add an SPF record for me?

It can. Squarespace auto-applies its own DKIM, SPF and DMARC records to domains it manages. That is exactly why you should check your DNS records for an existing TXT record starting with v=spf1 before adding your own. Two SPF records cause a permerror and break SPF completely.

Can I have two SPF records if I use two email providers?

No. One SPF record per domain, always. Merge your senders into a single record with multiple include: mechanisms and one all at the end, for example v=spf1 include:_spf.google.com include:sendgrid.net ~all.

Should I use ~all or -all?

Start with ~all while you confirm every legitimate sender is in the record, then move to -all. The vendors disagree on this: Google recommends ~all for Workspace, Microsoft recommends -all. A domain that sends no email at all should use v=spf1 -all.

What do I put in the Host field?

Just @, which Squarespace uses for the root of your domain. Do not type your domain name into the host field. Most DNS editors auto-append the zone, so typing the full domain creates something like yourdomain.com.yourdomain.com, which never resolves.

My SPF looks right but mail still fails. Why?

The usual suspects are a second SPF record hiding in your DNS, or the 10-lookup limit being exceeded. Every include:, a, mx, exists and redirect costs a lookup and they nest inside each other. Over 10 and the record hard fails. Run a free check to see what your domain publishes right now.

SPF record on other platforms

Other fixes for Squarespace

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check