Free SPF tool

SPF Record Generator

Select the services that send mail for your domain, add custom IPs and includes, and build a valid SPF record. The DNS lookup counter tracks the RFC 7208 limit of 10 as you go.

SPF builder Updates live as you choose
Build your SPF record

Tick every service that sends mail for your domain. Each one adds an include: and counts as one DNS lookup.

Authorize the IPs behind your domain's own records. Each mechanism costs one DNS lookup.

One address or CIDR range per line. IP entries resolve to ip4: or ip6: and cost no DNS lookups.

Add any include: domains not listed above. One per line. Each adds one DNS lookup.

Generated SPF record

TypeTXT Host / Name@ TTL3600
example.com · TXT
$ add TXT record at your DNS host
v=spf1 ~all
Record length: 11 characters
DNS lookup count RFC 7208 limit: 10
0 of 10 lookups used
0246810 max
SPF evaluation may resolve at most 10 DNS lookups, counting every include, a, and mx. Cross 10 and receivers return a PermError, so every message fails SPF. The ip4 and ip6 entries cost zero lookups.
Record checks
SPF records, explained

What an SPF record is

SPF, short for Sender Policy Framework, is an email authentication standard defined in RFC 7208. It lets a domain owner publish, in DNS, the list of mail servers allowed to send email on the domain's behalf. That list lives in a single TXT record that begins with v=spf1 and ends with an all mechanism. When a receiving server accepts a message, it reads this record and compares the connecting IP against the sources you authorized.

Without a published SPF record, your domain is far easier to spoof and your mail is more likely to be filtered. Since 2024 the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk email, so a clean SPF record is a baseline requirement rather than a nice to have.

How to build a correct SPF record

The generator above assembles the record for you, but it helps to understand what each choice does. Work through these steps and watch the live output update as you go.

  1. List every sending source. Tick each service that sends mail for your domain, from your mailbox provider to your help desk and newsletter platform. Anything you miss will fail SPF and risk landing in spam.
  2. Use include for managed senders. An include: delegates authorization to a provider, such as include:_spf.google.com, so their IP changes never break your record. Each include costs one DNS lookup.
  3. Use ip4 and ip6 for your own servers. If you run a mail server on a static address, list it directly with ip4: or ip6:. Direct IP entries cost zero lookups, which keeps you well under the budget.
  4. Close with a policy. End the record with ~all or -all to tell receivers what to do with any server you did not list.

The 10 lookup budget

RFC 7208 caps SPF evaluation at 10 DNS lookups. Every include, a, mx, ptr, and exists mechanism counts, and nested lookups inside an included record count too. Cross 10 and receivers return a PermError, which fails SPF for every message you send, even from authorized servers. The counter above tracks this in real time and warns you as you approach the limit.

If you are running low on headroom, remove sources you no longer use, replace a heavy include with the explicit ip4 ranges it resolves to, and drop the deprecated ptr mechanism. The ip4 and ip6 entries never count, so they are the safest way to authorize a stable server.

Soft fail or hard fail: ~all versus -all

The final qualifier decides what happens to mail from a server that is not in your record. With ~all, a soft fail, receivers usually accept the message but mark it as suspicious. With -all, a hard fail, receivers are told to reject it outright. Start with ~all while you confirm every legitimate sender is covered, then tighten to -all for the strongest protection against spoofing. Never publish +all, which authorizes the entire internet to send as your domain.

How to publish the TXT record

Once the output looks right, copy it and add it at your DNS host as a single TXT record.

  1. Open your DNS provider. Sign in to the host that manages your domain's DNS, usually your registrar or hosting control panel, and find the DNS or zone editor.
  2. Create one TXT record. Set the type to TXT, the host or name to @ for the root domain, and paste the generated value into the content field. Keep only one SPF record per domain.
  3. Save and verify. Save the record, allow a little time for DNS to update, then confirm it with the SPF record checker. To complete your setup, add a policy with the DMARC generator.

SPF only checks the envelope sender, not the visible From address recipients see. Pair this record with DKIM and a DMARC policy to fully protect your domain. After publishing, run the SPF checker to confirm the record resolves and stays under 10 lookups.

Frequently asked

SPF record questions

What is an SPF record?
An SPF record is a DNS TXT record that lists the mail servers and IP addresses allowed to send email for your domain. It begins with v=spf1 and ends with an all mechanism. When a receiving server gets a message, it reads this record and checks whether the connecting server was authorized. A match passes SPF, and a server that is not listed is soft failed or hard failed depending on your policy.
How do I create an SPF record for my domain?
Use the generator above. Tick every service that sends mail for your domain, add any custom IP addresses or include domains, and choose your policy. The tool outputs a value beginning with v=spf1 that you publish as a single TXT record at the root of your domain. A domain may have only one SPF record, so fold every sender into that one value rather than publishing a second record.
What should my SPF record look like for Google Workspace or Microsoft 365?
For Google Workspace a common record is v=spf1 include:_spf.google.com ~all, and for Microsoft 365 it is v=spf1 include:spf.protection.outlook.com -all. If you send through both on the same domain, combine the includes into one record, for example v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all. Tick both sources above and the generator builds the combined record for you.
How many includes can an SPF record have?
There is no fixed limit on the number of include mechanisms, but each one costs at least one DNS lookup, and RFC 7208 caps an SPF check at 10 lookups in total. In practice that 10 lookup ceiling is your real limit. The counter above tracks it live so you can see how many includes you can still add before you cross the limit.
What is the difference between ~all and -all?
Both define what happens to mail from a server that is not listed in your record. ~all is a soft fail: receivers usually accept the message but flag it as suspicious. -all is a hard fail: receivers are told to reject it. Start with ~all while you confirm every legitimate sender is covered, then tighten to -all for the strongest protection.
Can a domain have two SPF records?
No. A domain must publish exactly one SPF record. If a receiver finds two or more TXT records that begin with v=spf1, it returns a PermError and SPF fails for every message. To authorize another service, add its include to your existing record rather than creating a second one. A single record longer than 255 characters is split into multiple strings by DNS, which is still one record, not two.
Where do I publish my SPF record?
Publish it at your DNS host as a TXT record on the root domain, using @ as the host or name in most control panels. Set the type to TXT and paste the generated value into the content field. After saving, allow a short time for DNS to update, then confirm it with the SPF record checker.
Why is my SPF record failing with a PermError?
A PermError usually means one of two things: your record resolves more than 10 DNS lookups, or your domain has more than one SPF record. Fix the lookup count by removing unused includes, flattening a heavy include to its ip4 ranges, and dropping the ptr mechanism. Fix duplicates by merging every sender into one record. Re-run the checker afterward to confirm the error is gone.
How do I combine SPF records for multiple email providers?
You never publish two SPF records. Instead you merge every sender into a single record by listing each provider include one after another, for example v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all. Add every service that sends for you, from your mailbox provider to your marketing and help desk platforms, then close with one all mechanism. The generator above builds this combined record for you.
Why does Google Workspace use so many of my DNS lookups?
Some providers nest several lookups inside their include, so a single entry can use four or more of your budget of 10. That leaves little room once you add other senders, which is the most common way records hit the limit. If you are running low, remove unused senders first, then flatten only the heaviest includes to explicit ip4 ranges as a last resort, since flattened entries then need manual upkeep.
Do I need to update my SPF record when I add a new email tool?
Yes. Any new service that sends mail for your domain has to be added to your single SPF record, or its mail will fail SPF and risk the spam folder. Before adding one, confirm you have lookup headroom under the limit of 10, add the provider include, and re-scan to make sure the record still validates. Treat the record as a living inventory of everyone allowed to send as you.