Skip to content
Treasure Tools

SPF Record Generator

Create valid SPF TXT records for email authentication online. Free SPF generator to prevent spoofing and improve deliverability.

Email ToolsWeb & SEOGenerators
Instant results

Generated SPF Record

16 chars2/10 DNS lookups
v=spf1 a mx ~all

The domain you are creating the SPF record for (for reference only)

Allow mail from this domain's A record

Adds the a mechanism

Allow mail from this domain's MX records

Adds the mx mechanism

Add specific IPv4 addresses or CIDR ranges allowed to send email (e.g., 203.0.113.5 or 198.51.100.0/24)

Add specific IPv6 addresses or CIDR ranges (e.g., 2001:db8::1 or 2001:db8::/32)

Add third-party email services that send email on your behalf

DNS Setup Instructions

  1. Log in to your DNS provider or domain registrar
  2. Navigate to DNS management for your domain
  3. Add a new TXT record
  4. Set the Host/Name to @ (or leave blank)
  5. Paste the generated SPF record as the Value/Content
  6. Set TTL to 3600 (1 hour) or your preferred value
  7. Save the record
TypeHostValueTTL
TXT@v=spf1 a mx ~all3600

SPF Mechanism Quick Reference

v=spf1Required. Identifies the record as SPF version 1
aMatch the domain's A (IPv4) record
mxMatch the domain's MX (mail server) records
ip4:Match a specific IPv4 address or CIDR range
ip6:Match a specific IPv6 address or CIDR range
include:Reference another domain's SPF record
-allFail: unauthorized senders are rejected
~allSoftFail: unauthorized senders are flagged but accepted
?allNeutral: no opinion on unauthorized senders

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. It works by publishing a special DNS TXT record that receiving mail servers check when they get an email claiming to be from your domain.

When an email arrives at a receiving server, the server looks up the SPF record for the sender's domain. It then checks whether the sending server's IP address matches any of the authorized addresses in the SPF record. If it does, the email passes SPF authentication. If not, the email may be rejected, flagged as suspicious, or delivered normally, depending on the policy specified in the record.

SPF was first proposed in 2003 and is defined in RFC 7208. Together with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF forms the foundation of modern email authentication, helping protect against phishing, spoofing, and spam.

SPF Record Syntax Explained

An SPF record is a DNS TXT record that begins with v=spf1 followed by a series of mechanisms and modifiers. Here is the anatomy of a typical SPF record:

v=spf1 a mx ip4:192.0.2.1 include:_spf.google.com ~all

Mechanisms

Mechanisms define which servers are allowed to send mail. They are evaluated left-to-right. The first match determines the result. Common mechanisms include:

  • a — matches if the sender IP matches the domain's A/AAAA record
  • mx — matches if the sender IP matches one of the domain's MX hosts
  • ip4: /ip6: — matches a specific IP address or CIDR range
  • include: — references another domain's SPF record (recursive lookup)

Qualifiers

Each mechanism can be prefixed with a qualifier that determines what happens when it matches:

  • + (Pass) — default, the sender is authorized
  • - (Fail) — the sender is not authorized; reject the email
  • ~ (SoftFail) — the sender is probably not authorized; accept but flag
  • ? (Neutral) — no assertion is made about the sender

The 10 DNS Lookup Limit

SPF evaluation is limited to a maximum of 10 DNS-querying mechanisms (a, mx, include, redirect). The ip4 and ip6 mechanisms do not count toward this limit because they do not require a DNS lookup. Exceeding 10 lookups results in a PermError, which most receivers treat as an SPF failure.

Common SPF Records for Popular Providers

Google Workspace / Gmail

v=spf1 include:_spf.google.com ~all

Microsoft 365 / Outlook

v=spf1 include:spf.protection.outlook.com ~all

Zoho Mail

v=spf1 include:spf.zoho.com ~all

Google Workspace + SendGrid + Mailchimp

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all

Microsoft 365 + Amazon SES

v=spf1 include:spf.protection.outlook.com include:amazonses.com ~all

Why SPF Matters for Email Deliverability

Without SPF, anyone can send email that appears to come from your domain. This makes your domain vulnerable to spoofing attacks, phishing campaigns, and being used as a source of spam. Here is why implementing SPF is critical:

  • Prevents Email Spoofing: SPF tells receiving servers exactly which IPs are allowed to send mail for your domain, making it much harder for attackers to forge your address.
  • Improves Deliverability: Major email providers like Gmail, Outlook, and Yahoo check SPF records. Emails from domains with valid SPF records are less likely to be flagged as spam.
  • Protects Brand Reputation: When spammers spoof your domain, recipients may associate the spam with your brand. SPF helps prevent this damage.
  • Required for DMARC: DMARC relies on SPF (and DKIM) alignment to make policy decisions. Without SPF, your DMARC policy cannot fully protect your domain.
  • Compliance Requirements: Many industries and email providers now require SPF as a minimum standard. Google and Yahoo began enforcing stricter authentication requirements in 2024 for bulk senders.

For best results, combine SPF with DKIM and DMARC to create a comprehensive email authentication strategy. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC ties them together with a policy and reporting.

How to Use SPF Record Generator

1

Inventory your sending services

List every service that sends email on behalf of your domain — Google Workspace or Microsoft 365 for staff mail, Mailgun or SendGrid for transactional, Mailchimp for newsletters, plus any custom servers.

2

Build the mechanism list

Add an include directive for each authorized service. Common providers are usually pre-populated, so much of the work is ticking the right boxes rather than typing host names.

3

Pick a qualifier

Start with ~all (soft fail) while you watch traffic. Once you're confident every legitimate sender is covered, tighten to -all (hard fail) for stricter enforcement.

4

Publish and verify

Add the generated string as a TXT record at the apex of your domain. Allow 24–48 hours for DNS propagation, then run the record through mxtoolbox.com's SPF tester to confirm validity and lookup count.

When to Use SPF Record Generator

Setting up authentication for a new domain

When you're standing up email for a new domain, the SPF record is one of the first things to publish. It tells receivers which servers are allowed to send mail on your behalf. The generator builds a syntactically correct TXT record so you can paste it straight into your DNS provider without hand-writing the mechanism strings.

Getting more email into inboxes

SPF, paired with DKIM and DMARC, is one of the strongest signals receivers use to decide whether to trust a message. A well-formed record meaningfully improves the odds that legitimate transactional and marketing email reaches the inbox instead of the junk folder. The generator helps make sure the record covers every service you actually send through.

Cutting off spoofed mail

Without SPF, anyone can forge mail that appears to come from your domain. With it, receivers know which servers are legitimate and can reject the rest. The protection matters for brand reputation, customer trust, and the integrity of any password-reset or notification email that depends on recipients believing the sender.

Coordinating multiple sending services

Real businesses send email through several providers — Google Workspace for staff mail, Mailgun or SendGrid for transactional traffic, Mailchimp for newsletters. Each one needs an entry in your SPF record. Building a single comprehensive record that covers them all (and stays inside the 10-lookup limit) is exactly the problem the generator is designed for.

SPF Record Generator Examples

A single sending service

Input
Sending mail only through Google Workspace
Output
v=spf1 include:_spf.google.com ~all

This is about as simple as SPF gets. v=spf1 declares the version, the include directive pulls in Google's authorized servers by reference, and ~all marks unauthorized senders as suspicious without outright rejecting them. A solid starting record while you verify everything works.

Multiple providers

Input
Google Workspace plus SendGrid plus Mailgun
Output
v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org ~all

Each service appears as its own include directive. Order doesn't matter — receivers walk through every entry and accept the message if any of them authorize the sending IP. The 10-lookup ceiling becomes a real concern once the list grows past three or four services.

Strict enforcement

Input
All sending services listed and a hard rejection for everyone else
Output
v=spf1 include:_spf.google.com -all

The -all qualifier tells receivers to reject anything that doesn't match. It's the strongest stance you can take, but it's also unforgiving — leave out a legitimate sender and that mail bounces. Worth doing only after you've confirmed every service is in the record.

Tips & Best Practices for SPF Record Generator

  • 1.Start conservative with ~all and tighten to -all only after you've watched a few weeks of mail flow without surprise rejections. The intermediate posture lets you find missed senders before they hit a hard wall.
  • 2.Stay under the 10 DNS-lookup ceiling. Each include and a/mx mechanism counts, and recursive includes count too. Long SPF chains hit the limit and trigger a permanent error, which is worse for deliverability than a slightly looser record.
  • 3.Validate the record before publishing. mxtoolbox.com's SPF tester catches syntax errors, lookup overruns, and unresolvable includes — all things you'd rather find in staging than after a DNS change has propagated.
  • 4.Update the record whenever you add or drop a sending service. Stale SPF is a slow-motion deliverability problem because legitimate new senders eventually start failing authentication for reasons no one remembers.
  • 5.SPF is one third of modern email authentication. Pair it with DKIM (which signs each message) and DMARC (which tells receivers what to do when SPF or DKIM fails). All three together is the modern baseline; any one alone is incomplete.
  • 6.Don't go straight to -all on a brand-new record. The hard-fail qualifier punishes any mistake in your include list by blackholing your real mail. Soft-fail first, harden later, and you'll save yourself the panicked rollback.

Frequently Asked Questions

SPF stands for Sender Policy Framework. It's a DNS record that lists the servers allowed to send mail for your domain, which lets receivers reject forged messages that pretend to come from you. The standard has been in use since 2006 and is one of the three pillars of modern email authentication alongside DKIM and DMARC.

Related Tools

DKIM Record Generator

Generate DKIM DNS TXT records for email authentication online. Free DKIM generator with RSA key pairs to prevent email spoofing.

DMARC Record Generator

Create valid DMARC DNS TXT records online to protect your domain from spoofing and phishing. Free step-by-step DMARC policy builder.

Email Header Analyzer

Parse and analyze email headers online to trace delivery paths and check SPF, DKIM, and DMARC authentication. Free header analyzer.

MX Record Lookup

Look up MX records for any domain online. Free MX lookup tool showing mail server priorities, email providers, and SPF/DMARC records.

Email Subject Line Tester

Test and score email subject lines for deliverability and engagement online. Free subject line tester with spam risk and improvement tips.

Email Blacklist Checker

Check if your IP or domain is on email blacklists online. Free blacklist checker testing against 20+ DNSBLs for deliverability.