SPF Record Generator

Email Auth

Generate a valid SPF (Sender Policy Framework) DNS TXT record for your domain. Built-in presets for Google Workspace, Microsoft 365, SendGrid, Mailgun, and 8+ other senders. The record tells receiving mail servers which IPs and services are allowed to send email on your behalf.

Authorized Senders

Tick every service that sends email from your domain. Each adds an include: mechanism to the record.

Domain Mechanisms

Additional IPs

Custom include: Domains

Use this if your sender isn't in the preset list above.

Policy

Generated SPF Record

v=spf1 mx ~all
Type: TXT · Host: @ (the apex of your domain) · TTL: 3600
DNS lookup count: 1/10

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from you@example.com, it queries example.com's SPF record and checks whether the connecting IP is on the approved list. If not, the message can be rejected, marked spam, or accepted depending on your policy.

SPF is defined by RFC 7208 and is one of three email-authentication standards alongside DKIM and DMARC. Without all three, large mailbox providers (Gmail, Microsoft 365, Yahoo) increasingly send your mail to spam — Google and Yahoo's February 2024 enforcement made SPF + DKIM + DMARC a hard requirement for bulk senders.

SPF record syntax

An SPF record is a single line with the version tag v=spf1 followed by mechanisms separated by spaces, ending with an "all" qualifier:

v=spf1 ip4:203.0.113.5 include:_spf.google.com include:sendgrid.net -all
  • v=spf1 — required version tag, must be first.
  • ip4: / ip6: — explicit IP or CIDR range allowed.
  • a / mx — allow whatever IPs the domain's A or MX records resolve to.
  • include: — delegate authorization to another domain's SPF record (used for SaaS senders).
  • -all — everything not matched fails (hard fail). ~all = soft fail. ?all = neutral.

The 10-DNS-lookup limit

RFC 7208 caps SPF evaluation at 10 DNS-querying mechanisms, including all nested includes. Each include:, a, mx, exists, and redirect counts. Hit 11 and the receiver returns a PermError — your record is treated as having no SPF at all. The generator above tracks this in real time. If you go over, "SPF flattening" (replacing includes with their resolved IPs) is the standard workaround, though it requires automation to keep IPs current.

Frequently Asked Questions

Can I have more than one SPF record?

No. RFC 7208 explicitly forbids multiple SPF records on the same domain — receivers return PermError when they find two. Combine all sources into a single record. Subdomains can have their own separate record.

What's the difference between -all and ~all?

-all (hard fail) tells receivers to reject any unauthorized mail. ~all (soft fail) tells them to accept it but mark it suspicious. Start with ~all while testing, then move to -all once you're confident every legitimate sender is included.

Where do I put the SPF record?

Add it as a TXT record on your domain's apex (host: @, or just your domain name). Most DNS providers (Cloudflare, Route 53, Namecheap, GoDaddy) have a "TXT" record type. The value is the entire string starting with v=spf1.

Do subdomains inherit the parent's SPF?

No. SPF is checked against the exact MAIL FROM domain. If you send mail from news.example.com, that subdomain needs its own SPF record. The DMARC record's sp= tag controls subdomain policy, not SPF.

How long after publishing does SPF take effect?

As soon as DNS propagates — typically 5 minutes to 1 hour depending on your TTL. Verify with dig TXT example.com or any DNS-checker tool. Receiving servers also cache, so very recent changes may take a bit longer to fully propagate everywhere.

Set up the full email-auth stack: DMARC record generator · DKIM record generator · HTTP security headers.