Generate a valid SPF record for your email infrastructure
Free SPF Record Generator
Getting Started
How to Use This Tool
Select Your Email Service Providers
Choose the ESPs and services that send email on behalf of your domain. This includes your primary email provider (e.g., Google Workspace, Microsoft 365) as well as any marketing platforms, transactional email services, or CRMs that send email using your domain.
Choose Your SPF Policy
Select how strictly receiving servers should treat emails from unauthorized sources. Use "~all" (soft fail) if you are still testing, or "-all" (hard fail) for strict enforcement once you have confirmed all sending sources are included.
Copy Your Generated Record
The tool generates your complete SPF record in real time. Copy the record to your clipboard with one click.
Add the Record to Your DNS
Log in to your DNS provider or domain registrar, create a new TXT record for your root domain (@), and paste the generated SPF record as the value. Changes may take up to 48 hours to propagate, though most take effect within minutes.
Understanding Results
How to Interpret Your Results
v=spf1 Prefix
The generated SPF record always starts with v=spf1, which identifies it as an SPF version 1 record. This is required and must be at the beginning.
include: Mechanism
Each include: mechanism authorizes a specific email service provider's servers to send on your behalf. For example, "include:_spf.google.com" allows all Google Workspace mail servers. The tool automatically adds the correct include value for each ESP you select.
ip4: and ip6: Mechanisms
The ip4: and ip6: mechanisms authorize specific IP addresses or ranges directly, without requiring a DNS lookup. These are useful for self-hosted mail servers or services that provide static IP ranges instead of include mechanisms.
Policy: ~all vs -all
~all (soft fail) marks unauthorized senders as suspicious but still delivers the email. -all (hard fail) instructs receivers to reject unauthorized email outright. ?all (neutral) effectively disables SPF enforcement and is not recommended.
DNS Lookup Limit
SPF records are limited to 10 DNS lookups — each "include," "a," "mx," and "redirect" mechanism counts as one lookup. If your record exceeds this limit, you will need to consolidate or flatten some mechanisms.
Learn More
What is an SPF Record?
An SPF (Sender Policy Framework) record is a type of DNS TXT record that defines which mail servers are authorized to send email on behalf of a specific domain. It is one of the foundational email authentication protocols, alongside DKIM and DMARC, and plays a critical role in preventing email spoofing and improving deliverability.
Here is how SPF works in practice: when someone sends an email from your domain, the receiving mail server looks up your domain's SPF record in DNS. It then compares the IP address of the server that sent the email against the list of authorized IPs and services in your SPF record. If the sending server matches, the SPF check passes. If it does not match, the result depends on your policy — soft fail (~all), hard fail (-all), or neutral (?all).
An SPF record is published as a TXT record on your domain's root (@ record) and follows a specific format. It always begins with "v=spf1" and contains a series of mechanisms that define authorized senders. The most common mechanisms include: include: to authorize third-party services, ip4: and ip6: to authorize specific IP addresses, a to authorize the domain's A record IP, and mx to authorize the domain's mail exchange servers.
One of the most common mistakes with SPF records is exceeding the 10 DNS lookup limit. The SPF specification (RFC 7208) restricts the number of mechanisms that require DNS lookups to prevent excessive DNS traffic. Each "include," "a," "mx," "redirect," and "exists" mechanism counts toward this limit. The "ip4," "ip6," and "all" mechanisms do not count because they do not require lookups. When the limit is exceeded, the entire SPF check fails with a "permerror," which is worse than having no SPF record at all.
Other common mistakes include having multiple SPF records on the same domain (only one is allowed), using the outdated SPF DNS record type instead of TXT, forgetting to include all sending services (which causes legitimate email to fail SPF), and using overly permissive mechanisms like "+all" that authorize everyone. A well-crafted SPF record should include exactly the services that need to send email as your domain — no more, no less — and end with either "~all" or "-all" to reject unauthorized senders.
SPF works best in combination with DKIM and DMARC. While SPF verifies the sending server, DKIM verifies message integrity with a cryptographic signature, and DMARC ties them together with a policy for handling failures. Together, these three protocols provide robust protection against email spoofing and are now required by major mailbox providers for bulk email senders.
Common Questions
Frequently Asked Questions
What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is permitted. A valid SPF record helps prevent spammers from spoofing your domain and improves your email deliverability.
What does "include" mean in an SPF record?
The "include" mechanism in an SPF record tells receiving servers to also check the SPF record of another domain. This is how you authorize third-party email services to send on your behalf. For example, "include:_spf.google.com" authorizes Google Workspace servers, and "include:amazonses.com" authorizes Amazon SES. Each include adds the referenced domain's authorized IP ranges to your own.
Should I use -all or ~all?
The "-all" (hard fail) mechanism tells receiving servers to reject any email from servers not listed in your SPF record. The "~all" (soft fail) tells servers to accept the email but mark it as suspicious. For maximum security, use "-all" once you are confident your SPF record includes all legitimate sending sources. Use "~all" during initial setup or testing to avoid accidentally blocking legitimate email while you verify your configuration.
What happens if I have more than 10 DNS lookups?
The SPF specification (RFC 7208) limits SPF records to a maximum of 10 DNS lookup mechanisms (include, a, mx, redirect, exists). If your record exceeds this limit, receiving servers may return a "permerror" result and treat the SPF check as failed. To stay within the limit, remove unnecessary includes, replace include mechanisms with direct IP ranges (ip4/ip6) where possible, or use SPF flattening services.
Do I need SPF if I already have DKIM?
Yes. SPF and DKIM serve different but complementary purposes. SPF verifies that the sending server is authorized, while DKIM verifies the message integrity and provides a cryptographic signature. DMARC requires at least one of them to pass and align with the From domain, but having both provides the strongest protection. Major mailbox providers like Gmail and Yahoo now require both SPF and DKIM for bulk senders.
Explore More
Related Tools
Get started in under 60 seconds
Stop guessing.
Start reaching the inbox.
Join email teams who use OptiMail to monitor, diagnose, and fix deliverability, powered by AI. 14-day free trial included. No credit card required.