SPF Record Generator

Create valid SPF TXT records for your domain's email authentication. Prevent email spoofing and improve deliverability.

Instant results

Generated SPF Record

16 chars2/10 DNS lookups

v=spf1 a mx ~all

Domain Name

The domain you are creating the SPF record for (for reference only)

Allow mail from this domain's A record

Adds the a mechanism

Allow mail from this domain's MX records

Adds the mx mechanism

Additional IPv4 Addresses

Add specific IPv4 addresses or CIDR ranges allowed to send email (e.g., 203.0.113.5 or 198.51.100.0/24)

Additional IPv6 Addresses

Add specific IPv6 addresses or CIDR ranges (e.g., 2001:db8::1 or 2001:db8::/32)

Include Other Domains

Add third-party email services that send email on your behalf

Default Policy for All Other Senders

-all Fail

Reject emails from unauthorized senders (recommended)

~all SoftFail

Accept but mark emails from unauthorized senders

?all Neutral

No policy on unauthorized senders (not recommended)

DNS Setup Instructions

Log in to your DNS provider or domain registrar
Navigate to DNS management for your domain
Add a new TXT record
Set the Host/Name to @ (or leave blank)
Paste the generated SPF record as the Value/Content
Set TTL to 3600 (1 hour) or your preferred value
Save the record

Type	Host	Value	TTL
TXT	@	v=spf1 a mx ~all	3600

SPF Mechanism Quick Reference

v=spf1Required. Identifies the record as SPF version 1

aMatch the domain's A (IPv4) record

mxMatch the domain's MX (mail server) records

ip4:Match a specific IPv4 address or CIDR range

ip6:Match a specific IPv6 address or CIDR range

include:Reference another domain's SPF record

-allFail: unauthorized senders are rejected

~allSoftFail: unauthorized senders are flagged but accepted

?allNeutral: no opinion on unauthorized senders

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. It works by publishing a special DNS TXT record that receiving mail servers check when they get an email claiming to be from your domain.

When an email arrives at a receiving server, the server looks up the SPF record for the sender's domain. It then checks whether the sending server's IP address matches any of the authorized addresses in the SPF record. If it does, the email passes SPF authentication. If not, the email may be rejected, flagged as suspicious, or delivered normally, depending on the policy specified in the record.

SPF was first proposed in 2003 and is defined in RFC 7208. Together with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF forms the foundation of modern email authentication, helping protect against phishing, spoofing, and spam.

SPF Record Syntax Explained

An SPF record is a DNS TXT record that begins with v=spf1 followed by a series of mechanisms and modifiers. Here is the anatomy of a typical SPF record:

v=spf1 a mx ip4:192.0.2.1 include:_spf.google.com ~all

Mechanisms

Mechanisms define which servers are allowed to send mail. They are evaluated left-to-right. The first match determines the result. Common mechanisms include:

a — matches if the sender IP matches the domain's A/AAAA record
mx — matches if the sender IP matches one of the domain's MX hosts
ip4: /ip6: — matches a specific IP address or CIDR range
include: — references another domain's SPF record (recursive lookup)

Qualifiers

Each mechanism can be prefixed with a qualifier that determines what happens when it matches:

+ (Pass) — default, the sender is authorized
- (Fail) — the sender is not authorized; reject the email
~ (SoftFail) — the sender is probably not authorized; accept but flag
? (Neutral) — no assertion is made about the sender

The 10 DNS Lookup Limit

SPF evaluation is limited to a maximum of 10 DNS-querying mechanisms (a, mx, include, redirect). The ip4 and ip6 mechanisms do not count toward this limit because they do not require a DNS lookup. Exceeding 10 lookups results in a PermError, which most receivers treat as an SPF failure.

Common SPF Records for Popular Providers

Google Workspace / Gmail

v=spf1 include:_spf.google.com ~all

Microsoft 365 / Outlook

v=spf1 include:spf.protection.outlook.com ~all

Zoho Mail

v=spf1 include:spf.zoho.com ~all

Google Workspace + SendGrid + Mailchimp

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net ~all

Microsoft 365 + Amazon SES

v=spf1 include:spf.protection.outlook.com include:amazonses.com ~all

Why SPF Matters for Email Deliverability

Without SPF, anyone can send email that appears to come from your domain. This makes your domain vulnerable to spoofing attacks, phishing campaigns, and being used as a source of spam. Here is why implementing SPF is critical:

Prevents Email Spoofing: SPF tells receiving servers exactly which IPs are allowed to send mail for your domain, making it much harder for attackers to forge your address.
Improves Deliverability: Major email providers like Gmail, Outlook, and Yahoo check SPF records. Emails from domains with valid SPF records are less likely to be flagged as spam.
Protects Brand Reputation: When spammers spoof your domain, recipients may associate the spam with your brand. SPF helps prevent this damage.
Required for DMARC: DMARC relies on SPF (and DKIM) alignment to make policy decisions. Without SPF, your DMARC policy cannot fully protect your domain.
Compliance Requirements: Many industries and email providers now require SPF as a minimum standard. Google and Yahoo began enforcing stricter authentication requirements in 2024 for bulk senders.

For best results, combine SPF with DKIM and DMARC to create a comprehensive email authentication strategy. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC ties them together with a policy and reporting.