Crawlsonar

SPF Generator

Build a single, valid SPF record from your mail sources — with a live count against the 10-DNS-lookup limit so you don’t break SPF.

2/10 DNS lookups
v=spf1 mx include:_spf.google.com -all

Publish this as a single TXT record at your domain apex, then validate with the SPF Checker. Keep to one SPF record and under 10 lookups.

What SPF is (and why deliverability depends on it)

SPF (Sender Policy Framework) is a single DNS TXT record that lists which servers are allowed to send email for your domain. When a receiver gets a message claiming to be from you, it checks the sending server against your SPF record — if it’s not authorised, the mail looks like spoofing and is far more likely to be rejected or spam-foldered. Since 2024, Gmail and Yahoo requireSPF for bulk senders, so a valid record isn’t optional if you want to reach the inbox. This generator builds one valid record ending in a singleall mechanism, and counts your DNS lookups live so you stay compliant.

Every option, explained

Include your own servers: a and mx

  • a — authorises the IPs your domain’s A/AAAA records point to. Enable if you send mail from the same server your website runs on.
  • mx — authorises the servers listed in your MX records. Enable if your inbound mail servers also send outbound mail. Each of these costs one of your 10 DNS lookups.

Fixed IPs: ip4 and ip6

List the exact IPv4/IPv6 addresses of any servers that send as you (a marketing box, an on-prem relay). Prefer these where you canip4:/ip6:mechanisms cost zeroDNS lookups, so they’re the cheapest way to stay under the limit.

Third-party senders: include

Add an include: for every service that sends on your behalf — _spf.google.com(Google Workspace), sendgrid.net, spf.protection.outlook.com, Mailchimp, and so on. Each include triggers a DNS lookup (and can nest more), so this is where the 10-lookup limit gets used up fastest.

The final rule: -all vs ~all vs ?all

  • -all (hard fail) — receivers should reject anything not listed. The strongest anti-spoofing setting; use it once every legitimate sender is included.
  • ~all (soft fail) — accept but mark as suspicious. A safe setting while testing and watching DMARC reports.
  • ?all (neutral) — no opinion. Weak; only for early rollout.
  • +all — authorises the entire internet. Never use this — it defeats SPF completely.

The two rules that break SPF

  • Exactly one SPF record. Two v=spf1 TXT records make SPF PermError and fail for all your mail — merge them into one.
  • Ten DNS lookups maximum. Over the limit, SPF is ignored. Reduce includes, flatten to fixed IPs, or drop unused services. This tool shows your live lookup count.

Related tools & guides

Frequently asked questions

How do I keep SPF under the 10-lookup limit?

Use ip4:/ip6: for fixed IPs (they cost no lookups), remove unused sources, and the tool counts your lookups live as you build the record.

Should the record end with -all or ~all?

-all (hard fail) once you're sure every sender is listed; ~all (soft fail) while testing.