SPF Record Generator

Build a correct SPF record in seconds: tick the services that send email as your domain, add any of your own servers, pick the failure policy, and copy the finished TXT record. Generated entirely in your browser — nothing is sent to us.

1. Which services send email as your domain?

Find it in your provider's "authenticate your domain" docs; enter just the hostname.

2. Your own mail servers (optional)

3. What should happen to mail from anyone else?

Start with ~all; tighten to -all after a few weeks once DMARC reports confirm every legitimate sender is listed.

Your SPF record

Publish as a TXT record at the root of your domain (host/name @). One SPF record per domain — if one already exists, merge, don't add.

v=spf1 ~all
Verify after publishing →

What is an SPF record?

SPF (Sender Policy Framework, RFC 7208) is a DNS TXT record that lists every server allowed to send email using your domain. Receiving servers look it up on every message: mail from a listed source passes; mail from anywhere else is handled according to your all policy. Together with DKIM and DMARC it is one of the three authentication checks that Google, Yahoo and Microsoft now require from bulk senders.

Rules this generator enforces for you

  • One record only — multiple SPF records are a permanent error (permerror); merge instead of adding.
  • The 10-DNS-lookup limit — every include, a and mx term costs lookups; exceed 10 and SPF breaks. The counter below the record warns you as you approach it.
  • Policy order — mechanisms first, the all qualifier last.

After you publish

DNS changes take minutes to a few hours to propagate. Then verify with the sender compliance checker (which also checks DKIM and DMARC), and consider free monitoring so you are emailed if the record ever changes or disappears.

Frequently asked questions

I already have an SPF record. Can I just add this one?

No — two SPF records is an automatic permanent error. Take your existing record and add the new mechanisms into it (everything between v=spf1 and the all term), keeping a single record.

Why does the lookup count matter?

Receivers stop evaluating after 10 DNS lookups and return a permerror, which DMARC treats as an SPF failure. Each include:, a, mx, exists: and redirect= costs at least one lookup — and includes can nest. If you are close to the limit, remove services you no longer use.

Does SPF alone stop spoofing?

No. SPF checks the envelope sender, which recipients never see, and it breaks on forwarding. You need DKIM and a DMARC policy for From:-address protection — generate the DMARC record here.

Last reviewed: Reviewed by the

How this tool works: This tool runs in your browser and on our server in real time. Depending on the tool, results are computed directly from the input you provide or retrieved from live, authoritative data sources at the moment you run a lookup. We do not sell your data, and your lookups are kept private — any history shown here is stored only on your device.

Related Tools

Explore these related tools to get more insights and complete your analysis:

IP Lookup

Enter any IP address to instantly find its geographic location, ISP, hostname, and organization. Our IP lookup tool provides accurate geolocation data worldw...

DNS Lookup

Check DNS records for any domain instantly. Our free DNS lookup tool queries authoritative nameservers to show A, AAAA, MX, TXT, NS, SOA, and CNAME records.

WHOIS Lookup

Look up WHOIS data for any domain to see registration details, nameservers, registrar information, creation and expiration dates, and contact information.

SSL Certificate Checker

Check any website's SSL/TLS certificate. View expiration date, issuer, certificate chain, supported protocols, and get a security grade with recommendations.

Port Scanner

Scan any host to discover open ports and identify running services. Essential for security audits, firewall testing, and network troubleshooting.