SPF Record Generator

Build a valid SPF record for your domain in seconds. Select your email providers, add custom IPs, choose your fail policy, and copy the generated DNS record.

What is an SPF Record?

SPF (Sender Policy Framework) is a DNS-based email authentication protocol defined in RFC 7208. An SPF record is published as a TXT record on your domain and lists the mail servers, IP addresses, and third-party services that are authorized to send email on your domain's behalf.

When a receiving mail server gets a message claiming to be from your domain, it queries your DNS for an SPF record and checks whether the sending server's IP address is authorized. If it is not, the message can be rejected, flagged as spam, or accepted depending on your policy (the all-mechanism at the end of the record).

How SPF Records are Structured

Every SPF record starts with v=spf1 followed by one or more mechanisms that define authorized senders, and ends with an all-mechanism that sets the default policy:

include:Authorizes another domain's SPF record. Used for third-party email services like Google Workspace, Microsoft 365, and SendGrid.
ip4 / ip6: Directly authorizes a specific IP address or CIDR range. Does not count toward the 10 DNS lookup limit.
a / mx:Authorizes the IP addresses returned by the domain's A or MX records. Each counts as one DNS lookup.
-all:Hard fail — reject email from any server not explicitly listed. Recommended for production.
~all:Soft fail — accept but mark as suspicious. Useful during initial rollout.

How to Use This Generator

Enter your domain name— the domain you want to protect with SPF (e.g., yourcompany.com).
Select your email providers— check the boxes for any third-party services that send email on your behalf.
Add custom includes— if you use additional services not listed above, add their SPF include domains.
Add IP addresses— add any specific server IPs or CIDR ranges that send email for your domain.
Choose your fail policy— select hard fail (-all) for maximum protection or soft fail (~all) for testing.
Copy and publish— copy the generated record and add it as a TXT record in your domain's DNS.

Frequently Asked Questions

What is an SPF record and why do I need one?: An SPF (Sender Policy Framework) record is a DNS TXT record that tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. Without an SPF record, anyone can send emails pretending to be from your domain, which can lead to phishing attacks and deliverability problems. Since 2024, Google and Yahoo require SPF (or DKIM) for all email senders, making it essential for reaching inboxes.
How many DNS lookups can an SPF record have?: The SPF specification (RFC 7208) limits SPF evaluation to 10 DNS lookups. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism counts as one lookup. If your SPF record exceeds 10 lookups, receiving servers will return a PermError and your emails may be rejected. The ip4 and ip6 mechanisms do not count toward this limit because they do not require DNS queries. This generator counts your lookups automatically so you can stay within the limit.
Should I use -all (hard fail) or ~all (soft fail)?: Use "-all" (hard fail) for production domains once you have confirmed all legitimate senders are listed. This tells receiving servers to reject email from unauthorized sources. Use "~all" (soft fail) during initial deployment or testing, which marks unauthorized email as suspicious rather than rejecting it outright. Most security experts recommend moving to "-all" as soon as possible to maximize protection against spoofing.
Can I have multiple SPF records on one domain?: No. RFC 7208 specifies that a domain must have at most one SPF record. If multiple SPF TXT records are found, receiving servers will return a PermError and SPF evaluation fails entirely. If you need to authorize multiple services, combine them into a single SPF record using multiple include: mechanisms. This generator helps you build a single, consolidated record with all your authorized senders.

What is an SPF Record?

How SPF Records are Structured

Every SPF record starts with v=spf1 followed by one or more mechanisms that define authorized senders, and ends with an all-mechanism that sets the default policy:

include:Authorizes another domain's SPF record. Used for third-party email services like Google Workspace, Microsoft 365, and SendGrid.

ip4 / ip6: Directly authorizes a specific IP address or CIDR range. Does not count toward the 10 DNS lookup limit.

a / mx:Authorizes the IP addresses returned by the domain's A or MX records. Each counts as one DNS lookup.

-all:Hard fail — reject email from any server not explicitly listed. Recommended for production.

~all:Soft fail — accept but mark as suspicious. Useful during initial rollout.

How to Use This Generator

Enter your domain name— the domain you want to protect with SPF (e.g., yourcompany.com).

Select your email providers— check the boxes for any third-party services that send email on your behalf.

Add custom includes— if you use additional services not listed above, add their SPF include domains.

Add IP addresses— add any specific server IPs or CIDR ranges that send email for your domain.

Choose your fail policy— select hard fail (-all) for maximum protection or soft fail (~all) for testing.

Copy and publish— copy the generated record and add it as a TXT record in your domain's DNS.

Frequently Asked Questions

What is an SPF record and why do I need one?

An SPF (Sender Policy Framework) record is a DNS TXT record that tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. Without an SPF record, anyone can send emails pretending to be from your domain, which can lead to phishing attacks and deliverability problems. Since 2024, Google and Yahoo require SPF (or DKIM) for all email senders, making it essential for reaching inboxes.

How many DNS lookups can an SPF record have?

The SPF specification (RFC 7208) limits SPF evaluation to 10 DNS lookups. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism counts as one lookup. If your SPF record exceeds 10 lookups, receiving servers will return a PermError and your emails may be rejected. The ip4 and ip6 mechanisms do not count toward this limit because they do not require DNS queries. This generator counts your lookups automatically so you can stay within the limit.

Should I use -all (hard fail) or ~all (soft fail)?

Use "-all" (hard fail) for production domains once you have confirmed all legitimate senders are listed. This tells receiving servers to reject email from unauthorized sources. Use "~all" (soft fail) during initial deployment or testing, which marks unauthorized email as suspicious rather than rejecting it outright. Most security experts recommend moving to "-all" as soon as possible to maximize protection against spoofing.

Can I have multiple SPF records on one domain?

No. RFC 7208 specifies that a domain must have at most one SPF record. If multiple SPF TXT records are found, receiving servers will return a PermError and SPF evaluation fails entirely. If you need to authorize multiple services, combine them into a single SPF record using multiple include: mechanisms. This generator helps you build a single, consolidated record with all your authorized senders.