SPF Record Generator

Generate SPF (Sender Policy Framework) records for your domain. Protect against email spoofing and improve deliverability.

Soft fail (~all) is recommended for most domains

About SPF Records

What is SPF? Sender Policy Framework is an email authentication protocol that helps prevent email spoofing

Why Use SPF? Protects your domain from being used in phishing attacks and improves email deliverability

DNS Lookup Limit: SPF records are limited to 10 DNS lookups. Use include wisely to avoid hitting this limit

Understanding SPF Records and Email Authentication

Sender Policy Framework (SPF) is a DNS-based email authentication standard that allows domain owners to specify which mail servers are authorized to send email on their behalf. Published as a TXT record in your domain's DNS zone, SPF records are checked by receiving mail servers when processing incoming email from your domain. When the sending server's IP address matches an authorized entry in your SPF record, authentication passes — helping establish your email as legitimate.

SPF addresses one of email's fundamental security weaknesses: anyone can claim to be sending from any domain. Without SPF, phishing attacks can use your domain name in the From address of malicious emails, damaging your reputation with recipients. SPF specifically validates the technical envelope-from address used during SMTP delivery, not the displayed From header.

An SPF record consists of a version indicator (v=spf1), authorization mechanisms (ip4, ip6, include, a, mx), and a qualifying directive (all). The -all directive tells receiving servers to reject email from unauthorized senders, while ~all marks it as suspicious without rejecting. Most security recommendations favor -all for maximum protection.

Building a Complete SPF Record

A complete SPF record must include all systems authorized to send email from your domain. This includes your primary mail server (via ip4 or a mechanism), your email service provider (via include: mechanism), and any third-party services like CRM systems, marketing automation platforms, transactional email services, or help desk software that send email using your domain.

The include: mechanism references SPF records published by third-party services. For Google Workspace, use include:_spf.google.com. For Microsoft 365, use include:spf.protection.outlook.com. For SendGrid, use include:sendgrid.net. Each include fetches that provider's SPF record and merges their authorized IPs into your evaluation chain.

SPF has a critical limitation: the 10 DNS lookup limit. Each include:, a, mx, and exists mechanism counts toward this limit, and exceeding it causes SPF evaluation to return permerror — equivalent to a failure. If you use many third-party email services, you may need to use SPF flattening to stay within the limit. Our generator counts your lookups in real-time as you add mechanisms.

SPF as Part of Complete Email Security

SPF alone is insufficient for comprehensive email authentication. It should be deployed alongside DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) for complete protection. SPF validates the sending server, DKIM validates message integrity via cryptographic signatures, and DMARC ties both together with a policy that tells receivers what to do when authentication fails.

DMARC alignment requires that SPF authentication aligns with the From header domain — meaning the domain in the envelope-from address that SPF checks must match or be a subdomain of the From header domain visible to recipients. This alignment requirement closes the loophole where SPF can pass for a different domain than the one displayed.

For email deliverability, all three authentication standards work together. Google, Yahoo, and Microsoft have all announced stricter enforcement of DMARC-aligned authentication for bulk senders, making SPF, DKIM, and DMARC requirements for inbox placement. Our SPF generator creates a properly formatted record as the foundation of your complete authentication setup.

Frequently Asked Questions