# SPF Record Construction At the beginning of the record, v=spf1 identifies this as an SPF record. At the end of the record, -all defines the policy. Dash - for hard-fail, tilde ~ for soft-fail. In between the identity and policy, each include: defines the server domain names that are authorized to send as this domain. Each +ip4: defines the IP addresses that are authorized to send as this domain. Example ```generic v=spf1 +ip4: include: ~all ```
Microsoft 365 ```generic v=spf1 include:spf.protection.outlook.com ~all ```
Google Workspace ```generic v=spf1 include:_spf.google.com ~all ```
PrefixTypeValuePrefixDescDescription
vspf1 The SPF record version
+includespf.protection.outlook.comPassThe specified domain is searched for an 'allow'.
+includeemailus.freshservice.comPassThe specified domain is searched for an 'allow'.
+includerelay.mailchannels.netPassThe specified domain is searched for an 'allow'.
~ all FailAlways matches. It goes at the end of your record.
Further reading: [a great explanation of SPF](https://www.mailhardener.com/kb/spf). ## NEXT STEPS Configure [DKIM](http://info.orangebench.com/books/internet-infrastructure/page/dkim-record-construction) Signature Configure [DMARC](http://info.orangebench.com/books/internet-infrastructure/page/dmarc-record-construction) Reports