SPF Record Generator

Build a valid SPF record by selecting your email providers and adding custom sources. Tracks your DNS lookup count in real time.

Select all services that send email on behalf of your domain.

Add specific IP addresses or CIDR ranges. One per line. These do not count toward the 10-lookup limit.

Add additional include: domains not listed above. One per line. Each adds 1 DNS lookup.

Generated SPF Record

Type: TXT
Host/Name: @
Value:
v=spf1 ~all

DNS Lookup Count

0 of 10 DNS lookups used

How to Use This SPF Generator

  1. Select your email providers - Check the boxes for every service that sends email on behalf of your domain (Google Workspace, SendGrid, Mailchimp, etc.).
  2. Add custom IPs - If you run your own mail server, add its IP addresses. IP-based entries do not count toward the DNS lookup limit.
  3. Choose your policy - Soft fail (~all) is recommended for most domains. Hard fail (-all) is stricter but may cause issues if you miss a legitimate sender.
  4. Watch the lookup counter - SPF allows a maximum of 10 DNS lookups per evaluation. Our counter tracks this in real time.
  5. Copy and publish - Add the generated record as a TXT record at the root of your domain (usually @ as the hostname).
  6. Verify - Use our SPF Record Checker to confirm the record is published and valid.

SPF DNS Lookup Limit

The SPF specification (RFC 7208) limits the number of DNS lookups during evaluation to 10. Each include:, a, mx, redirect, and exists mechanism counts as one lookup. The ip4: and ip6: mechanisms do not require DNS lookups and are not counted.

If your SPF record exceeds 10 lookups, it will result in a permanent error (permerror) and SPF authentication will fail for all email from your domain.

SPF Best Practices

  • Use include: for third-party senders instead of hardcoding their IPs, which may change.
  • Use ip4: for your own mail servers with static IPs.
  • Never use +all, as it authorizes any server to send email for your domain.
  • Keep only one SPF TXT record per domain. Multiple SPF records cause evaluation failures.
  • If you are running out of lookups, consider using SPF flattening or consolidating your sending services.

Frequently Asked Questions

An SPF record is a DNS TXT record that specifies which IP addresses and mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sender is authorized. If not, the email may be marked as spam or rejected.

Use our SPF record generator to select all services that send email for your domain, add custom IP addresses, and choose your policy. The tool outputs a TXT record value starting with v=spf1 that you publish at the root of your domain in DNS. You can only have one SPF record per domain.

The SPF specification limits each check to a maximum of 10 DNS lookups, counting include, a, mx, ptr, exists mechanisms and the redirect modifier. Exceeding this limit causes a PermError that fails authentication for all email. Remove unnecessary includes or replace them with direct ip4/ip6 entries to stay under the limit.

The ~all (softfail) tells receivers that unauthorized emails should be accepted but flagged as suspicious, typically landing in spam. The -all (hardfail) instructs servers to reject unauthorized emails entirely. Google recommends ~all because it is less likely to block legitimate emails if you accidentally omit an authorized sender.

No, a domain must publish exactly one SPF record. Having multiple SPF TXT records causes a PermError, meaning authentication fails for all email. If you need to add new senders, update your existing SPF record rather than creating a new one. Use the include mechanism to reference third-party services within your single record.

SPF flattening replaces include mechanisms with the actual IP addresses they resolve to, reducing DNS lookups. While it solves the lookup limit problem, it has a major drawback: if a provider changes their IPs, your flattened record becomes outdated and legitimate emails will fail. Consider subdomain segmentation as a more maintainable alternative.

The include, a, mx, ptr (deprecated), exists mechanisms, and the redirect modifier each count as one DNS lookup. Nested lookups from included records also count. The ip4, ip6, and all mechanisms do not require DNS lookups and do not count toward the 10-lookup limit.

Without an SPF record, any server can send email claiming to be from your domain, making it vulnerable to spoofing and phishing. Receiving servers will treat your emails with suspicion, increasing the likelihood of delivery to spam folders. Without SPF, DMARC cannot use SPF alignment, weakening your overall authentication posture.