SPF Generator
Build a single, valid SPF record from your mail sources — with a live count against the 10-DNS-lookup limit so you don’t break SPF.
v=spf1 mx include:_spf.google.com -all
Publish this as a single TXT record at your domain apex, then validate with the SPF Checker. Keep to one SPF record and under 10 lookups.
What SPF is (and why deliverability depends on it)
SPF (Sender Policy Framework) is a single DNS TXT record that lists which servers are allowed to send email for your domain. When a receiver gets a message claiming to be from you, it checks the sending server against your SPF record — if it’s not authorised, the mail looks like spoofing and is far more likely to be rejected or spam-foldered. Since 2024, Gmail and Yahoo requireSPF for bulk senders, so a valid record isn’t optional if you want to reach the inbox. This generator builds one valid record ending in a singleall mechanism, and counts your DNS lookups live so you stay compliant.
Every option, explained
Include your own servers: a and mx
- a — authorises the IPs your domain’s A/AAAA records point to. Enable if you send mail from the same server your website runs on.
- mx — authorises the servers listed in your MX records. Enable if your inbound mail servers also send outbound mail. Each of these costs one of your 10 DNS lookups.
Fixed IPs: ip4 and ip6
List the exact IPv4/IPv6 addresses of any servers that send as you (a marketing box, an on-prem relay). Prefer these where you can — ip4:/ip6:mechanisms cost zeroDNS lookups, so they’re the cheapest way to stay under the limit.
Third-party senders: include
Add an include: for every service that sends on your behalf — _spf.google.com(Google Workspace), sendgrid.net, spf.protection.outlook.com, Mailchimp, and so on. Each include triggers a DNS lookup (and can nest more), so this is where the 10-lookup limit gets used up fastest.
The final rule: -all vs ~all vs ?all
-all(hard fail) — receivers should reject anything not listed. The strongest anti-spoofing setting; use it once every legitimate sender is included.~all(soft fail) — accept but mark as suspicious. A safe setting while testing and watching DMARC reports.?all(neutral) — no opinion. Weak; only for early rollout.+all— authorises the entire internet. Never use this — it defeats SPF completely.
The two rules that break SPF
- Exactly one SPF record. Two
v=spf1TXT records make SPFPermErrorand fail for all your mail — merge them into one. - Ten DNS lookups maximum. Over the limit, SPF is ignored. Reduce includes, flatten to fixed IPs, or drop unused services. This tool shows your live lookup count.
Related tools & guides
- SPF Checker — validate the record and its lookup count after publishing.
- DMARC Generator and Email Deliverability Test.
- Guide: fix multiple SPF records & the 10-lookup limit.
Frequently asked questions
▸ ▾ How do I keep SPF under the 10-lookup limit?
Use ip4:/ip6: for fixed IPs (they cost no lookups), remove unused sources, and the tool counts your lookups live as you build the record.
▸ ▾ Should the record end with -all or ~all?
-all (hard fail) once you're sure every sender is listed; ~all (soft fail) while testing.