Skip to content
🔐Security ScannerPopular·📊Traffic AnalyzerNew·🌐DNS LookupPopular·🔑Password GeneratorPopular·📋JSON FormatterTrending·🔍SSL CheckerPopular·🛡️Phishing CheckerNew·💱Currency ConverterTrending·📧DMARC CheckerPopular·🖼️Image CompressorTrending·📱QR Code GeneratorPopular·🔗Domain ScannerNew·
ToolZilla

SPF RecordGenerator

Build a valid SPF DNS TXT record by adding IP addresses, include domains, and policy mechanisms — with live lookup counting and character warnings.

Configuration

For display purposes — SPF is published at the root of this domain.

One IP or CIDR range per line. Added as ip4: mechanisms.

One IP or prefix per line. Added as ip6: mechanisms.

One domain per line. Each counts as 1 DNS lookup.

If set, SPF evaluation is redirected to this domain's SPF record instead of using an -all mechanism.

Generated SPF Record

Record TypeTXT
Record Value
v=spf1 -all
0 / 10 DNS lookups used
11 characters

Within single TXT string limit (255).

Implementation Steps

  1. Log in to your DNS provider for example.com.
  2. Create (or update) a TXT record at the root of the domain — no subdomain prefix needed.
  3. Paste the record value shown above as the TXT content.
  4. Make sure there is only one SPF TXT record for the domain. If an existing one is present, merge the mechanisms into a single record.
  5. Wait for DNS propagation, then verify using an SPF checker tool (e.g. our SPF Record Checker).
  6. Monitor DMARC aggregate reports to confirm that legitimate senders pass SPF authentication.

Frequently Asked Questions

What is SPF and why do I need it?

SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are allowed to send email on behalf of your domain. Receiving servers check the SPF record in DNS to verify the sender. Without SPF, spoofed emails can easily impersonate your domain.

What is the 10-lookup limit?

The SPF specification (RFC 7208) limits the number of DNS lookups during SPF evaluation to 10. Each 'include', 'a', 'mx', 'ptr', and 'redirect' mechanism counts as one lookup. Exceeding 10 causes a permanent error (permerror), which means SPF fails for all messages.

What is the difference between -all, ~all, and ?all?

'-all' (hard fail) rejects messages from unlisted senders. '~all' (soft fail) marks them as suspicious but usually still delivers. '?all' (neutral) makes no assertion. Most organisations should use '-all' for strict protection or '~all' during initial rollout.

Why is there a 255-character limit on TXT records?

A single DNS TXT string can be at most 255 characters. If your SPF record is longer, it must be split into multiple strings within the same TXT record. Most DNS providers handle this automatically, but it is good to be aware of the limit.

Can I have more than one SPF record?

No. A domain must have exactly one SPF TXT record (starting with 'v=spf1'). Having multiple SPF records causes a permanent error. If you need to authorise multiple senders, combine them into a single record using include: mechanisms.

Complete Guide: How to Use the SPF Record Generator

Generate correct SPF records for your domain by selecting your email providers and authorized sending IPs. Our wizard-style generator builds the SPF TXT record automatically, ensures you stay under the 10-lookup limit, and provides the exact DNS record to publish.

Step-by-Step Instructions

  1. 1

    Select your email providers

    Choose the email services that send email on behalf of your domain: Google Workspace, Microsoft 365, SendGrid, Mailchimp, Amazon SES, and more.

  2. 2

    Add custom IPs (optional)

    If you have dedicated mail servers, add their IPv4 or IPv6 addresses as authorized senders.

  3. 3

    Choose the enforcement level

    Select your 'all' mechanism: -all (hard fail = reject unauthorized), ~all (soft fail = mark as spam), or ?all (neutral = no action).

  4. 4

    Copy the generated record

    Copy the complete SPF TXT record and publish it in your domain's DNS. The tool shows the exact record name and value.

Common Use Cases

  • New domain setup — create an SPF record from scratch when setting up email
  • Email service migration — regenerate SPF after adding or removing email providers
  • Security hardening — upgrade from ~all (soft fail) to -all (hard fail) for stronger protection
  • Multi-provider — build an SPF record that authorizes multiple email services correctly
  • Troubleshooting — regenerate a correct SPF record to fix syntax errors in existing ones
  • Documentation — generate SPF records as part of email infrastructure planning

Pro Tips

💡Start with ~all (soft fail) during initial setup. Once you've confirmed all legitimate email passes SPF, switch to -all (hard fail).
💡Each email provider 'include' uses 1+ DNS lookups. Monitor your total to stay under the 10-lookup limit.
💡If you exceed 10 lookups, consider using SPF flattening — replacing 'include' mechanisms with direct 'ip4' ranges.
💡Publish the SPF record as a TXT record on your root domain (@ or blank name), not on a subdomain.

Related Tools

🔍

Website Security Scanner

Scan a website for security headers, HTTPS config, cookie flags, and common vulnerabilities.

🕵️

Domain Intelligence Scanner

Full domain recon — WHOIS age, DNS records, SSL status, security headers, tech stack detection.

🚀

Load Testing

Stress test any website with up to 200 virtual users. Get latency, throughput, error rates and a full downloadable report.

📡

Web Traffic Analyzer

Deep-scan any website — detect technologies, audit SEO, check performance, security headers, DNS, accessibility and content analytics.