Skip to main content

Hosted SPF

The Hosted SPF page lets you manage your domain's SPF record through Palisade. Instead of editing the full SPF TXT record in your DNS provider every time something changes, your SPF record delegates to Palisade with a single include: mechanism — letting Palisade publish updates on your behalf and avoiding the risk of syntax errors.

note

Hosted SPF requires DMARC monitoring to be set up first. Enable it from the gear menu on the Domain Overview page.

How It Works

When Hosted SPF is active, your domain's SPF TXT record at the root delegates to Palisade through an include: mechanism (e.g. v=spf1 include:example.com._spf0.dns.palisade.email ~all). Palisade serves the included SPF record on your behalf, so changes you make in the Palisade UI no longer require you to edit your DNS provider — they propagate as the included record's DNS TTL expires (typically minutes, sometimes longer for cached resolvers).

Before You Enable

Before switching to Hosted SPF

You must replicate your entire existing SPF record into Palisade before publishing the new TXT record. When the Palisade-managed record goes live, it fully replaces your current SPF TXT record. Any include: mechanisms, IP addresses, or other entries that are not carried over will stop passing SPF checks immediately.

Missing an include will cause email from that service to fail SPF — which can result in messages being sent to spam or rejected, depending on your DMARC policy.

Before enabling Hosted SPF:

  1. Copy your current SPF record — look up your existing v=spf1 ... TXT record and note every include:, ip4:, ip6:, and a: mechanism.
  2. Add every entry into Palisade — use the SPF Configuration editor to add each mechanism from your existing record.
  3. Double-check — compare the Palisade-generated record with your original. They should authorize exactly the same senders.
  4. Only then publish the Palisade-managed SPF record — once you are confident the records match, replace your existing SPF TXT record at your DNS provider with the one Palisade displays.
tip

Use the SPF Audit tool to look up your current SPF record and see the full list of includes before migrating.

SPF Configuration

The edit interface lets you manage:

  • Include mechanisms — add include: entries for your authorized sending services (e.g., include:_spf.google.com, include:sendgrid.net)
  • IP addresses — add specific ip4: or ip6: entries for mail servers that send on your behalf
  • All mechanism — set the default action for senders not listed (~all for softfail, -all for hardfail)

Palisade automatically includes its own SPF include so that Palisade-routed mail passes SPF checks.

SPF Lookup Limit

SPF records are limited to 10 DNS lookups. Each include: and a: mechanism counts toward this limit, and nested includes count as well. Exceeding the limit causes SPF to fail for all senders.

If you are near the limit, consider:

  • Removing includes for services you no longer use
  • Replacing include: entries with direct ip4: or ip6: entries where possible (this is called SPF flattening)
  • Consolidating sending services that use the same infrastructure

Domain Status

A status badge at the top shows:

  • Active — the SPF TXT record is published and Palisade is serving the included record
  • Verifying — waiting for the SPF TXT record to propagate
  • Error — DNS verification failed or there is a sync issue
  • Inactive — Hosted SPF is not enabled

If an error occurs during SPF synchronization, a notice will appear with details about the issue.