SPF Record Generator

Create complete, syntactically-valid DNS TXT SPF records client-side. Authorize servers, integrations, and default security fallback policies to shield your domain from abuse.

1. Domain Information

Entered domain helps format the registrar configuration guidelines below.

2. Core Server Authentication

3. Preconfigured Third-Party Senders

Select integrations currently used to dispatch newsletters, marketing, or workspace emails.

4. Custom IP Addresses & Domains

One IPv4 address or CIDR subnet per line.

One IPv6 address or subnet block per line.

One domain per line. (Requires recursive DNS lookup).

5. Fallback Default Policy

Compiled SPF Record
Valid SPF
DNS Lookups 2 / 10
Character Length 0 / 255
DNS Registrar Setup

Login to your DNS registrar dashboard (e.g., Cloudflare, GoDaddy, Namecheap, Route 53) and publish the following TXT record mapping:

Field
Value
Record Type
TXT
Host / Name
@ (or leave blank)
Value / Target
v=spf1 ...
TTL
3600 (or 1 hour)
💡 Pro Tip: You can only have one SPF record per domain. If a record already starts with v=spf1, edit it to append new hosts instead of creating an additional TXT cell.

Understanding Sender Policy Framework (SPF) Architecture

Sender Policy Framework (SPF) is a core email authentication standard designed to protect domains against spoofing, phishing, and brand exploitation. In the legacy SMTP protocol, outbound mail servers could easily forge the sender address inside the "From" header of an email. SPF counters this technical vulnerability by using your domain's public DNS to publish a TXT record that lists all authorized hostnames and IP addresses allowed to transmit outbound messages on behalf of your domain.

When a receiving mail exchanger accepts an incoming transmission, it reads the envelope sender address, extracts the domain name, and queries the domain's DNS for its active SPF policy. If the transmitting IP address of the sending server matches one of the authorized mechanisms listed inside the record, the server grants an SPF Pass. If it fails, receiving servers process the message based on the specified qualifier (Soft Fail or Hard Fail), either directing the mail to a spam filter or rejecting it completely.

SPF Record Syntax and Mechanism Breakdown

An SPF record consists of a prefix declaration followed by a sequence of mechanisms and qualifiers that determine authentication behavior.

Mechanism Description DNS Lookup Consumption
v=spf1 Declares the record version. Must always be placed at the very beginning of the record. 0 (Constant)
a Authorizes the IP address specified in the domain's primary A or AAAA records. 1 lookup
mx Authorizes all mail exchanger (MX) servers registered under the domain. 1 lookup
ip4: / ip6: Directly authorizes a specific IPv4 address, CIDR subnet, or IPv6 address block. 0 (Parsed locally)
include: Queries and evaluates the SPF record of an external third-party domain (e.g., Mailchimp). 1 lookup + recursive counts
exists: Executes a custom DNS A-record query check. Often used in advanced, dynamic enterprise setups. 1 lookup
all Matches any outbound sender address. Standard match mechanism placed at the end of the record. 0 (Fallback)

Qualifiers precede these mechanisms to define alignment matches: + represents Pass (default if omitted), - represents Hard Fail (reject immediately), ~ represents Soft Fail (mark as suspicious but accept), and ? represents Neutral (no active policy enforcement).

Before vs. After: Implementing SPF Records

The following examples demonstrate how adding an SPF record transitions your domain from an unprotected state to an authenticated posture.

Before: Unsecured Domain (No SPF Policy) 
; Querying TXT records for yourdomain.com
$ dig txt yourdomain.com +short
; [No record returned - Domain vulnerable to spoofing]

Without a published policy, receiving mail exchangers cannot verify if the outbound servers actually have permission to send, resulting in poor domain reputation.

After: Secure Domain (Configured SPF Policy) 
; Consolidated SPF DNS TXT record
yourdomain.com. IN TXT "v=spf1 a mx include:_spf.google.com ip4:192.168.1.100/24 ~all"

Receiving servers will accept emails originating from the domain's A, MX, Google Workspace, and the specified IP subnet, while soft-failing others.

SPF Configurations Across Different Enterprise Use Cases

Choosing the right configuration depends on the scale, structure, and transactional platforms of your email architecture.

Scenario Target Audience Recommended Policy String Reasoning
Standard Corporate Small business utilizing standard G-Suite or Microsoft Office tools only. v=spf1 include:_spf.google.com ~all Keeps the record lightweight, utilizes a soft fail safety qualifier, and limits the lookup count to exactly one.
E-Commerce & SaaS Dynamic applications sending high-volume transactional notifications via SendGrid/Mailgun. v=spf1 a mx include:sendgrid.net include:servers.mcsv.net ~all Authorizes transaction relays and newsletter engines while preserving standard web and MX IP routes.
Large Enterprise Organizations with extensive networks, local office subnets, and multiple external providers. v=spf1 ip4:10.50.0.0/16 include:spf.protection.outlook.com -all Secures dedicated office subnet blocks, uses hard fail for high-integrity lockdown, and manages DNS lookup limits strictly.

Troubleshooting Common SPF Pitfalls & PermErrors

Implementing SPF can trigger deliverability failures if the DNS record violates strict internet specifications. Here is how to diagnose and resolve the most common errors:

Issue 1: PermError - Exceeded the 10 DNS Lookup Limit

Symptoms: Receiving mail servers ignore your SPF record completely, and diagnostics show a PermError.
Fix: Replace domain-based include: mechanisms with raw ip4: or ip6: addresses. Remove unused services, avoid using the deprecated ptr mechanism, and ensure you do not use redundant includes.

Issue 2: Multiple SPF TXT Records on the Root Domain

Symptoms: You have added a new TXT record for a third-party tool, but email headers show validation failed.
Fix: Delete the secondary record and merge its elements into a single record. For example, combine v=spf1 include:_spf.google.com ~all and v=spf1 include:sendgrid.net ~all into v=spf1 include:_spf.google.com include:sendgrid.net ~all.

Issue 3: Character Truncation (Exceeding the 255 Character Limit)

Symptoms: The DNS registrar cuts off the tail end of your record, resulting in an unclosed or broken syntax string.
Fix: Standard DNS TXT records can be split into multiple quoted strings within a single TXT record entry, like "v=spf1 ... first-part" " second-part ~all". Alternatively, delegate sub-records to subdomains to shorten your root policy.

Best Practices for Hardening Domain Security

  • Audit Subnets Strictly: Never authorize entire classful blocks like ip4:128.0.0.0/8. Restrict whitelists to the exact IP blocks utilized by your primary mailers.
  • Implement in Tandem with DKIM and DMARC: SPF alone cannot prevent attackers from spoofing the visible "From" address. You must pair SPF with a cryptographic DKIM signature and a matching DMARC policy.
  • Schedule Quarterly Audits: Keep track of marketing integrations. If your organization changes CRM providers or newsletter services, remove the corresponding legacy SPF include immediately to keep the record clean.
  • Keep Lookup Counts in Check: Utilize our tool's built-in live lookup counter. Make sure your lookup count stays well below the critical 10-lookup threshold to accommodate changes in third-party SPF records.

Frequently Asked Questions

What is an SPF record and how does it secure email sender domains?

An SPF (Sender Policy Framework) record is an industry-standard DNS TXT record that establishes an authoritative list of mail servers, IP addresses, and hostnames authorized to send outbound emails on behalf of a specific domain name. When an email is dispatched, receiving mail servers query the DNS records of the sender's domain to match the sending server's IP address against the published SPF policy. If the sender's IP matches one of the authorized entries, the verification passes, which dramatically increases trust. Otherwise, the message is subjected to spam classification or outright rejection, thereby protecting the domain name from phishing and brand spoofing attacks.

Why is the 10 DNS lookup limit in SPF records so critical, and how can it be avoided?

The Sender Policy Framework specification (defined in RFC 7208) enforces a strict limit of 10 recursive DNS lookups that receiving servers can perform when evaluating an SPF record. Directives like a, mx, include, and exists trigger query lookups and count directly against this 10-lookup threshold, whereas ip4 and ip6 mechanisms are parsed locally from the record and do not consume any lookups. Exceeding this limit triggers an immediate validation failure known as a PermError, causing receiving mail servers to disregard the entire SPF policy and flag or block your messages. Developers can mitigate this limit by flattening their records—replacing third-party domains with direct IP address subnets—or auditing and removing legacy includes that are no longer utilized by their organization.

How do the SPF qualifiers ~all, -all, and ?all differ, and which should I deploy?

SPF qualifiers define how receiving email servers should handle messages that originate from servers not explicitly listed in the SPF record. The Soft Fail (~all) qualifier is highly recommended for most production environments; it instructs receiving servers to accept the email but tag it as suspicious or direct it to the spam folder, allowing developers to monitor deliverability without risk of outright message loss. The Hard Fail (-all) qualifier enforces a strict lockout policy, instructing mail systems to reject unauthorized messages completely, which offers maximum security but can block legitimate emails if a vendor include is missing. The Neutral (?all) qualifier treats unauthorized senders without any active policy instruction, which is functionally equivalent to having no SPF record active and provides no security value.

Can I publish multiple SPF records on a single domain, and what happens if I do?

Under standard RFC regulations, a domain name must never publish more than a single SPF record within its DNS configuration. If a domain publishes multiple TXT records that begin with the v=spf1 identifier, receiving mail servers will immediately fail the validation check with a PermError and reject or mark all outbound emails as spam. To authorize multiple third-party email platforms or custom server networks, developers must consolidate all required IP mechanisms and includes into a single, unified SPF record string. Consolidating all mechanisms into a single record guarantees that the parsing engine of the receiving server evaluates the entire authorization policy sequentially in one single transaction.

What is SPF record flattening, and what are the security risks associated with it?

SPF record flattening is a technical optimization process where domain names inside include: or mx directives are programmatically resolved to their actual IPv4 and IPv6 subnets, which are then written directly into a single consolidated record. While this process successfully bypasses the strict 10-DNS lookup limit by converting query-intensive directives into zero-lookup IP mechanisms, it introduces significant long-term maintenance and security risks. Because external SaaS and ESP networks frequently modify or expand their sending IP ranges, a static flattened record will quickly become obsolete, blocking legitimate company mailings. Additionally, manual flattening can accidentally whitelist large, shared IP pools, increasing the risk of security vulnerabilities if other tenants on those shared services abuse the system.

Why does the SPF specification deprecate the ptr mechanism, and what should be used instead?

The ptr mechanism in SPF performs a reverse DNS lookup on the sending server's IP address to find the corresponding hostnames, and then performs a forward lookup on those hostnames to verify they match the domain. This process is highly deprecated (as of RFC 7208) because it places an enormous processing burden on receiving mail servers, requiring multiple slow DNS round-trips, and is highly prone to failures due to misconfigured reverse DNS settings at internet service providers. Furthermore, attackers can easily abuse reverse DNS delegations to forge hostnames, rendering the mechanism highly insecure. Domain administrators must completely avoid ptr entries and instead utilize specific ip4, ip6, or include directives to securely authorize their outbound email platforms.

How do SPF, DKIM, and DMARC work together to enforce comprehensive email security?

SPF, DKIM, and DMARC form a three-layered defensive framework that guarantees the security, integrity, and authenticity of domain email communications. SPF validates that the transmitting mail server's IP address is authorized by the domain owner, while DKIM (DomainKeys Identified Mail) uses public-key cryptography to add an immutable digital signature to the email header, proving that the content was not altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) acts as the governance layer; it requires alignment between the domains validated by SPF/DKIM and the visible From address, and specifies how receiving servers must handle failures while sending structured XML aggregate reports back to the domain administrator for monitoring.

🌐 Network, DNS & JSON Utilities

🔗 URL Parser

Audit, parse, and edit URL query parameters and schemes dynamically.
💻 User Agent Parser

Decode browser user agent strings to identify layout engines and OS details.
🚀 cURL Generator

Generate clean HTTP request curl command payloads for local terminal execution.
📧 SPF Generator

Construct TXT SPF domain authorization records to validate outbound server IPs.
🛡️ DMARC Generator

Generate domain policies and reporting frameworks to block malicious spoofing.
🔍 JSONPath Evaluator

Filter, parse, and extract specific nodes from nested JSON data tree graphs.