SPF RECORD GENERATOR

Generate a Copy-Ready SPF Record

Choose the servers and providers allowed to send for your domain, then copy the SPF TXT record into DNS.

SPF Record Generator

Build a copy-ready SPF TXT record for the mail services that are allowed to send on behalf of your domain.

Allow servers listed in MX recordsAllow the domain's A recordIPv4 sendersIPv6 sendersProvider includesDefault policyControls how receivers treat mail that does not match any mechanism above. Start with soft fail (~all) and only switch to hard fail (-all) once every legitimate sender is covered.

v=spf1 mx include:google.com include:_spf.mailgun.org ~all

DNS publishing

SPF Defines Authorized Sending Sources

Publish SPF as a TXT record at your root domain. Keep the record focused on legitimate senders and avoid too many includes, because SPF has DNS lookup limits.

About SPF

How SPF Works and What Belongs in the Record

What is SPF?

Sender Policy Framework (SPF) is a DNS record that lists which servers and providers are authorized to send mail using your domain in the envelope address. Receiving mail servers fetch this TXT record and compare it to the IP that connected to deliver the message. If the IP is not authorized, the receiver can downgrade or reject the mail. SPF is the foundation that DMARC builds on, so publishing it correctly is the first step in any email authentication rollout.

Reading the syntax

An SPF record always starts with v=spf1 and ends with a default qualifier. In between you list mechanisms: mx allows hosts listed in your MX records, a allows the IP in your A record, ip4: and ip6: allow specific addresses or CIDR ranges, and include: pulls in another domain's SPF record (typically your email provider). Each mechanism is space-separated. The order matters: SPF is evaluated left to right and the first match wins.

Common provider includes

Google Workspace uses include:_spf.google.com. Microsoft 365 uses include:spf.protection.outlook.com. SendGrid uses include:sendgrid.net, Mailgun uses include:mailgun.org, Postmark uses include:spf.mtasv.net, and Amazon SES uses include:amazonses.com. Add an include only for services you actively send from. Removing legacy includes is just as important as adding new ones.

Choose the right qualifier

The trailing qualifier tells receivers what to do when no other mechanism matches. ~all is soft fail, which marks unauthenticated mail as suspicious without rejecting it outright and is the safest starting point. -all is hard fail and instructs receivers to reject unauthenticated mail at the SMTP layer. ?all is neutral and provides no policy at all. Start with ~all while you confirm every legitimate sender is included, then move to -all once you are confident.

Watch the 10-DNS-lookup limit

RFC 7208 caps SPF evaluation at 10 DNS lookups, including every include, redirect, a, mx, exists, and ptr mechanism. Each include can chain further lookups, so it is easy to exceed the limit if you stack multiple providers. When you hit the cap, SPF returns a permerror, which fails DMARC alignment. If you are close to the limit, consolidate providers, switch to ip4: ranges where possible, or use an SPF flattening service.

SPF Record Generator FAQ

Where do I publish my SPF record?

Publish SPF as a TXT record at your root domain (example.com, not _spf.example.com). You can only have one SPF record per domain. If you already have one, edit the existing record instead of creating a second TXT record, otherwise receivers will return a permerror.

What is the difference between -all, ~all, and ?all?

-all is a hard fail that tells receivers to reject mail that does not match any mechanism. ~all is a soft fail that tells receivers to accept the mail but mark it as suspicious. ?all is neutral and tells receivers to ignore SPF entirely. Most domains should start with ~all and move to -all only after verifying every legitimate sender is covered.

How many includes can I add?

SPF evaluation is capped at 10 DNS lookups total, and most include mechanisms cost one or more lookups each. If you exceed the limit the record returns a permanent error and DMARC alignment fails. Keep includes to the providers you actively use and consider SPF flattening if you are close to the cap.

Do subdomains inherit my SPF record?

No. SPF is checked on the envelope domain, which can be a subdomain such as mail.example.com. If you send from a subdomain you need a TXT record on that subdomain too, or DMARC will treat the message as unauthenticated even when the root domain is fully covered.

Need DMARC Enforcement Too?

After SPF is in place, generate a DMARC policy to tell receivers how to handle failed authentication.

Open DMARC Generator Open Temp Inbox

Browse all email tools Verify with header analyzer