SPF Checker for GoDaddy
GoDaddy's hosted-email products (Webmail Plus, Microsoft 365 reseller plans) route outbound mail through secureserver.net. The single include: covers every IP GoDaddy currently uses; you only add other includes if your domain also sends through a separate ESP.
Recommended SPF record for GoDaddy
GoDaddy's hosted-email products (Webmail Plus, Microsoft 365 reseller plans) route outbound mail through secureserver.net. The single include: covers every IP GoDaddy currently uses; you only add other includes if your domain also sends through a separate ESP.
v=spf1 include:secureserver.net -all Source: official GoDaddy documentation
What a passing check should look like
- Exactly one v=spf1 record published at the apex.
- Record ends with -all (or ~all if you're still onboarding senders).
- SPF Checker reports no PermError and the include resolves under 10 total lookups.
How to add this record in GoDaddy
- Sign in and open Domain Portfolio
Sign in to your GoDaddy account, then choose Domain Portfolio from the My Products menu (or visit dcc.godaddy.com directly).
- Open DNS for the domain
Find the domain in the list, click the three-dot menu next to it, and select Edit DNS.
- Add a new TXT record
Click Add New Record, choose TXT as the type, set Name to @ (the apex), and paste v=spf1 include:secureserver.net -all into the Value field.
- Set TTL to 1 hour for the rollout
Use 1 hour while you test, then raise to 1 day once you have confirmed receivers are pulling the new record.
- Save and verify
Click Save. DNS propagates within minutes inside GoDaddy's authoritative zone; full global propagation takes up to your TTL.
Common SPF mistakes with GoDaddy
- Adding the record at a subdomain (e.g. mail) instead of the apex — SPF must be on the same name as the From-header domain.
- Listing multiple v=spf1 records on the apex — RFC 7208 §3 requires exactly one. Receivers return PermError if they see two.
- Forgetting to add additional ESP includes if you ALSO send via Mailgun/SendGrid/etc. The default record covers GoDaddy-hosted mail only.
- Using ~all when you actually need -all (or vice versa) without thinking through what receivers should do on unknown senders.
Frequently asked questions about GoDaddy SPF
Does GoDaddy support DKIM out of the box?
Only if your domain uses GoDaddy's Microsoft 365 reseller mailboxes — in that case DKIM is configured via the two M365 CNAME selectors above. If you only use GoDaddy for DNS but send mail via a different provider (Mailgun, SendGrid, your own server, etc.), DKIM comes from THAT provider, not GoDaddy.
Why does my GoDaddy SPF record need <code>include:secureserver.net</code>?
secureserver.net is the umbrella domain GoDaddy uses for the outbound IP space of its hosted-mailbox products (Webmail Plus and the M365 reseller plans). Including it covers every IP GoDaddy currently uses, and they keep the include up to date.
Where do I get the exact CNAME targets for my GoDaddy + M365 setup?
Sign in to Microsoft 365 Defender at security.microsoft.com, then Email & collaboration → Policies & rules → Threat policies → DKIM. Select your domain and Microsoft displays the two CNAME values customised for your tenant ID.
GoDaddy says my TXT record value is 'too long' — what do I do?
GoDaddy's DNS editor accepts up to 1,024 characters in a TXT value. If you hit the limit (rare for SPF, common for some DKIM keys), the record needs to be split into multiple quoted strings per RFC 7208 §3.3 — but GoDaddy's UI does not expose that directly. Workaround: shorten the record (use the SPF Flattener for SPF) or move DNS to a provider that supports multi-string TXT.
Can I use Cloudflare in front of GoDaddy without changing registrar?
Yes — point GoDaddy's nameservers to Cloudflare's, then manage SPF/DKIM/DMARC in Cloudflare. Whichever provider answers DNS queries is the one receivers query. Don't publish the same record in both places; pick one.
Why are my DKIM checks failing even though the CNAMEs are correct?
Three common causes: (1) you enabled DKIM signing in M365 before the CNAMEs propagated — wait 10 minutes and re-toggle. (2) The two CNAMEs point at different tenants — they MUST both point at the same .onmicrosoft.com host. (3) Your M365 tenant has multiple custom domains and you used the wrong tenant ID in the CNAME target. The DKIM CNAME Validator walks the chain and surfaces the exact failure mode.
For the latest from GoDaddy themselves, see their official email-authentication documentation .
Read the complete SPF guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free