What an SPF record is
SPF, short for Sender Policy Framework, is an email authentication standard defined in RFC 7208. It lets a domain owner publish, in DNS, the list of mail servers allowed to send email on the domain's behalf. That list lives in a single TXT record that begins with v=spf1 and ends with an all mechanism. When a receiving server accepts a message, it reads this record and compares the connecting IP against the sources you authorized.
Without a published SPF record, your domain is far easier to spoof and your mail is more likely to be filtered. Since 2024 the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk email, so a clean SPF record is a baseline requirement rather than a nice to have.
How to build a correct SPF record
The generator above assembles the record for you, but it helps to understand what each choice does. Work through these steps and watch the live output update as you go.
- List every sending source. Tick each service that sends mail for your domain, from your mailbox provider to your help desk and newsletter platform. Anything you miss will fail SPF and risk landing in spam.
- Use include for managed senders. An
include:delegates authorization to a provider, such asinclude:_spf.google.com, so their IP changes never break your record. Each include costs one DNS lookup. - Use ip4 and ip6 for your own servers. If you run a mail server on a static address, list it directly with
ip4:orip6:. Direct IP entries cost zero lookups, which keeps you well under the budget. - Close with a policy. End the record with
~allor-allto tell receivers what to do with any server you did not list.
The 10 lookup budget
RFC 7208 caps SPF evaluation at 10 DNS lookups. Every include, a, mx, ptr, and exists mechanism counts, and nested lookups inside an included record count too. Cross 10 and receivers return a PermError, which fails SPF for every message you send, even from authorized servers. The counter above tracks this in real time and warns you as you approach the limit.
If you are running low on headroom, remove sources you no longer use, replace a heavy include with the explicit ip4 ranges it resolves to, and drop the deprecated ptr mechanism. The ip4 and ip6 entries never count, so they are the safest way to authorize a stable server.
Soft fail or hard fail: ~all versus -all
The final qualifier decides what happens to mail from a server that is not in your record. With ~all, a soft fail, receivers usually accept the message but mark it as suspicious. With -all, a hard fail, receivers are told to reject it outright. Start with ~all while you confirm every legitimate sender is covered, then tighten to -all for the strongest protection against spoofing. Never publish +all, which authorizes the entire internet to send as your domain.
How to publish the TXT record
Once the output looks right, copy it and add it at your DNS host as a single TXT record.
- Open your DNS provider. Sign in to the host that manages your domain's DNS, usually your registrar or hosting control panel, and find the DNS or zone editor.
- Create one TXT record. Set the type to
TXT, the host or name to@for the root domain, and paste the generated value into the content field. Keep only one SPF record per domain. - Save and verify. Save the record, allow a little time for DNS to update, then confirm it with the SPF record checker. To complete your setup, add a policy with the DMARC generator.
SPF only checks the envelope sender, not the visible From address recipients see. Pair this record with DKIM and a DMARC policy to fully protect your domain. After publishing, run the SPF checker to confirm the record resolves and stays under 10 lookups.