Managed SPF: Setup, Daily Use, and What to Expect
A practical guide to mxio's Managed SPF service. Set it up in the right order, understand what the dashboard shows, and learn how to add or remove senders without touching your SPF record again.
What Managed SPF Does
Managed SPF gives you one stable include: in your root SPF record while mxio manages the real sender list behind it.
Instead of editing DNS every time Google, Microsoft, SendGrid, or another provider changes its IP ranges, you manage your authorized senders in the dashboard. mxio resolves those senders, publishes the flattened SPF record on its own DNS, and keeps it updated automatically.
The result is simple:
- Your root SPF record stays short and predictable
- Your authorized sender list stays current
- You avoid running out of SPF lookups as your stack grows
If you want the background on the technique itself, read What Is SPF Flattening and Do You Need It?. This guide is about using the mxio service.
Before You Start
You will need two kinds of access:
- mxio dashboard access so you can configure the service
- DNS access for your domain so you can update your root SPF record
Managed SPF changes how your SPF is maintained, but it does not take over your entire DNS zone. You still make one initial DNS change: adding mxio's include: to your domain's SPF record.
Plans and Availability
Managed SPF is available on paid plans:
| Plan | Managed SPF | Poll Interval | Domain Allowance |
|---|---|---|---|
| Free | Not available | — | — |
| Basic | Available as add-on | Every 30 minutes | Based on add-ons purchased |
| Pro | Included | Every 30 minutes | 10 domains |
| Business | Included | Every 5 minutes | 25 domains |
For most organizations, the 30-minute interval is more than enough. The 5-minute Business interval is for teams that want the shortest possible gap between a provider IP change and an updated flattened record.
How Setup Actually Works
Managed SPF setup in mxio has three main steps:
- Configure your SPF sources
- Publish the mxio include in your root SPF record
- Enable Managed SPF
That order matters. You choose or confirm your senders first, then update DNS, then turn the service on.
Step 1: Configure Your SPF Sources
When you start Managed SPF, mxio first analyzes your current SPF record and tries to detect the services you already use.
If your current record includes known providers such as Google Workspace, Microsoft 365, SendGrid, Mailchimp, Amazon SES, or MailRoute, the dashboard pre-fills those sources for you. You review the list, remove anything you no longer use, and add anything missing.
For most domains, this is the longest part of setup, because this is where you decide which senders are authorized to send as your domain.
What you can add
The SPF Manager supports these common source types:
| Entry type | What it means | Example |
|---|---|---|
| Catalog service | A known provider from mxio's catalog | Google Workspace, SendGrid, Mailchimp |
| Include | A custom include hostname that mxio should resolve | include:custom.emailprovider.com |
| IP4 | A direct IPv4 address or CIDR range | 203.0.113.0/24 |
| IP6 | A direct IPv6 address or CIDR range | 2001:db8::/32 |
| A | Resolve a hostname's A record | mail.example.com |
| MX | Resolve a domain's MX hosts | example.com |
Most users only need catalog services plus a few direct ip4: or ip6: entries for their own servers.
What to keep and what to replace
When you move to Managed SPF:
- Replace old third-party
include:mechanisms in your root SPF record with the mxio include - Keep direct
ip4:andip6:entries if they represent your own servers and you still want them in the root record - Keep your existing policy qualifier unless you have a reason to change it
Warning: Do not leave your old provider
include:entries in the root SPF record alongside the mxio include unless you mean to run a mixed setup. That uses extra lookups and defeats the main benefit of Managed SPF.
The SPF policy qualifier
You choose the policy qualifier for the managed record in the SPF Manager:
~allis the safer default-allis stricter and should be used only when you are confident your sender list is complete
If you are unsure which one to use, see SPF ~all vs -all.
What success looks like
At the end of this step:
- The dashboard shows the senders you want
- Obvious old or duplicate services are removed
- You save the configuration and move to the publish step
Step 2: Publish the mxio Include
After you save your sender configuration, mxio gives you a unique include hostname for your domain. It looks like this:
include:k7xm9p2r.spf.mxdns.ioYou add that include to the SPF TXT record for your root domain.
Example root SPF records
If you want a fully delegated setup, your root SPF can be as simple as:
example.com TXT "v=spf1 include:k7xm9p2r.spf.mxdns.io ~all"If you also need to keep direct IPs for your own mail servers:
example.com TXT "v=spf1 ip4:203.0.113.10 include:k7xm9p2r.spf.mxdns.io ~all"Important rules for this step
- Publish the change at the DNS provider that hosts your domain
- Keep only one SPF record for the domain
- Put the mxio
include:in the SPF record itself, not as a separate TXT record - Keep
~allor-allat the end of the record
mxio checks DNS automatically while you do this. Once it detects the include, you can continue.
Tip: mxio pre-publishes the managed record before you update your SPF. That means the include resolves immediately once you add it to DNS.
What success looks like
At the end of this step:
- Your domain has one valid SPF record
- That SPF record contains the mxio include
- The dashboard shows that the include has been detected
Step 3: Enable Managed SPF
Once the include is published, click Enable in the dashboard.
This is the step that turns Managed SPF on for the domain. After that:
- mxio starts polling your configured senders on your plan's schedule
- mxio deploys updated flattened records when sender IP ranges change
- future sender changes happen in the dashboard instead of in DNS
Optional: Domain Ownership Verification
The dashboard may also show an optional TXT challenge record for domain ownership verification.
This is not the main setup gate for Managed SPF. The required step for activation is publishing the mxio include: in your SPF record. If you choose to publish the challenge, mxio checks it automatically and you can remove it after verification succeeds.
Treat this as an optional extra confirmation step, not as the core setup path.
What To Check After Setup
Right after enablement, a new user should verify five things:
- Your root SPF record contains the mxio include
- The dashboard shows the include as detected
- Managed SPF shows as enabled and then active
- A deployment appears in version history after the first publish
- Your SPF lookup budget is still healthy
If those five are true, the service is set up correctly.
Using Managed SPF Day To Day
Once setup is done, the ongoing workflow is simple: you manage senders in the dashboard and leave DNS alone.
Adding a new sender
When you start using a new email service:
- Open the SPF Manager for the domain
- Add the service from the catalog, or add its custom include manually
- Save the configuration
- Let mxio redeploy the managed record
You do not need to edit your root SPF record again unless you are changing the high-level delegation approach itself.
Removing a sender
When you stop using a service:
- Open the SPF Manager
- Remove that sender
- Save the configuration
This matters. Leaving old senders authorized is risky because shared provider ranges can be reused across other customers.
What happens when you save changes
Saving changes in the dashboard triggers a redeploy of the managed record. mxio recalculates the sender set, publishes the updated version, and keeps the root SPF include unchanged.
That is the whole operational benefit of Managed SPF: sender changes become dashboard actions, not DNS edits.
Understanding the Dashboard
The dashboard is there to answer three practical questions:
- Is the service on
- Is my SPF still healthy
- What changed recently
Status
The main states a new user needs to understand are:
| State | What it means |
|---|---|
| Pending | Setup is in progress or the service has not fully completed its first deployment yet |
| Active | Managed SPF is enabled and current |
| Paused | The service is not actively updating, usually because of plan or service state changes |
| Error | The last update attempt failed and needs attention |
You may also see warnings about size or lookup budget. Treat those as signs to review your sender list and root SPF record.
Lookup budget
Managed SPF reduces lookup cost, but it does not make the SPF budget disappear. The dashboard budget view helps you see where the lookups are going:
- mxio include cost for the managed record
- extra root-record cost from anything you left outside mxio
- total lookup spend compared to the SPF limit
If the budget looks too high, the most common cause is leaving extra include:, a:, or mx: mechanisms in the root SPF record.
Version history
Version history is your deployment log. It shows:
- version numbers
- deployment times
- the record content that was published
- related sub-record hostnames when splitting is needed
- change-log events such as deploys, pauses, resumes, and config updates
It is useful for answering practical questions like:
- When did Managed SPF last redeploy
- What record is active right now
- Did my last configuration change publish successfully
Troubleshooting
The include is not detected
Check these first:
- you updated the existing SPF record instead of adding a second SPF TXT record
- the include is inside the SPF string itself
- DNS propagation has had enough time
Run the SPF Checker if you want to see the live lookup tree from the outside.
The lookup budget is still high
This usually means your root SPF record still has extra lookup-consuming mechanisms outside the mxio include.
Common causes:
- old provider
include:entries still in the root record - root-level
a:ormx:mechanisms you forgot about - a mixed setup where some services are managed in mxio and others are still published directly
The service shows an error
Most Managed SPF errors come from upstream data problems or temporary DNS issues, not from your root SPF include being wrong.
Examples:
- a provider publishes a broken SPF record
- upstream DNS lookups fail temporarily
- a sender configuration needs review
If the problem does not clear, check the dashboard details and run the SPF Checker against the domain.
Managed SPF pauses after a plan change
If your plan no longer includes Managed SPF, the service can pause. Your last published record may still exist in DNS, but mxio will not keep it updated until the feature is available on the account again.
Best Practices
- Keep your root SPF record simple
- Add new senders through the dashboard, not by editing DNS directly
- Remove senders you no longer use
- Review the budget view when you add a service with a complex SPF chain
- Use domain health monitoring to catch changes quickly
How Managed SPF Fits With DKIM and DMARC
Managed SPF handles the SPF side of email authentication. It does not replace DKIM or DMARC.
When you add a new sender, you should still:
- configure DKIM for that service
- check DMARC alignment after the service starts sending
If you use DMARC Reporting in mxio, it becomes much easier to confirm that new senders are both legitimate and aligned.
Related Articles
- What Is SPF Flattening and Do You Need It? — when SPF flattening is necessary
- Fix SPF PermError: Too Many DNS Lookups — understanding the SPF limit
- SPF ~all vs -all: Softfail vs Hardfail — choosing the right policy
- Multiple SPF Records on One Domain — avoiding a common SPF mistake
- Complete Email Authentication Guide — how SPF, DKIM, and DMARC fit together
- Understanding DMARC Reports — how to verify that senders are passing DMARC
Related Articles
SPF flattening resolves include mechanisms to IP addresses, reducing DNS lookups. Learn how it works, the risks of manual flattening, and when you need automated flattening.
Your SPF record exceeds the 10-lookup limit, causing email authentication failures. Learn why this happens and how to fix it with step-by-step instructions.
Having more than one SPF TXT record on a domain causes both to fail. Learn how to detect duplicate SPF records and merge them correctly.
Should your SPF record end with ~all (softfail) or -all (hardfail)? Understand the difference, when to use each, and the impact on email delivery.
Understand how SPF, DKIM, and DMARC work together to protect your domain from spoofing and improve email deliverability. A practical guide for email administrators.
Learn what managed email authentication means, why DNS-based email security requires ongoing management, and how platforms like mxio handle SPF, DKIM, and DMARC so you don't have to.