Free SPF record generator

Pick the services that send mail on your behalf and get a syntactically-correct SPF record you can paste into the apex TXT record. Real-time DNS-lookup counter so you know before you publish if you'll trip the RFC 7208 10-lookup cap.

What this tool checks

What an SPF record does: tells receiving mail servers which IPs (or named services) are authorised to send mail with your domain in the SMTP envelope. A receiver does an SPF check, finds your record at the apex TXT, walks the mechanisms, and either accepts the sender (pass), defers it (softfail), or rejects it (fail) depending on the terminator you set.

The 10-lookup cap: RFC 7208 limits an SPF evaluation to 10 DNS lookups. Every include:, a, mx, ptr, and exists mechanism counts; ip4: and ip6: do not. Cross the cap and receivers return permerror - essentially the same outcome as not having SPF at all. Our counter shows the running total as you tick boxes; once you breach 10 the generator points you at the SPF flattener which collapses includes into raw ip4: / ip6: entries.

One record per domain: publishing two SPF records on the same name produces permerror. If you already have an SPF record, merge the include: tokens from this generator into the existing one rather than adding a second TXT.

How to read the results

-all = reject anything not explicitly listed. Right answer in steady state. Pair with DMARC p=reject and you have the strongest authentication posture.

~all= soft-fail. Receivers accept but mark the message (often delivered to spam). Useful as a cutover phase while you're still discovering all the things that send on your behalf - typically 2 weeks at ~all, then flip to -all once your DMARC aggregate reports confirm no legitimate senders are getting marked.

?all = neutral. Receivers accept and do nothing special. Rarely the right answer; almost always a misconfiguration. +allmeans "trust everyone" - never publish this; it tells the world anyone can spoof your domain.

Frequently asked questions

Do I need an SPF record if I have DMARC?

Yes. DMARC asks the receiver to evaluate SPF, DKIM, or both. Without SPF (and DKIM) DMARC has no signal to evaluate, so the message ends up dmarc=fail even with a strong policy. The two records complement each other.

What if my senders change?

Regenerate. SPF is a snapshot of who you authorise; every time you onboard a new ESP or marketing tool you update the record. The generator shows you the new full record - paste it in to replace the old TXT.

Why does the generator show a DNS lookup count?

Because crossing 10 silently breaks SPF on every receiving server. The counter is the single most-needed feature in an SPF generator and the one most missing in competing tools. Right number now = no surprise permerror six months from now.

Should I include MX or A?

Almost always no. MX lets the mail servers receiving your mail also send mail as you - rarely correct. A lets the IP behind A records (usually a web server) send - even less commonly correct. Both add DNS lookups against the cap. Stick to explicit include: tokens.

How do I roll this out safely?

Publish at ~all first. Watch DMARC aggregate reports (rua=) for two weeks - if anything legitimate is failing SPF, the report shows the IP and the receiver count. Add an include: or ip4: for it, regenerate, republish. Once the failure rate is at zero, switch the terminator to -all.

Related free tools

SPF raw validator

Paste an SPF string and validate the syntax + lookup count.

SPF flattener

Resolve nested includes into a 0-lookup ip4: / ip6: record.

DMARC analyzer

After you publish SPF, verify the DMARC posture that depends on it.

DMARC walk-through

Interactive plan to move from p=none to p=reject.

SPF record generator

Pick the services that send mail on your behalf

Advanced (optional)

Your SPF record