Free Tool - No Signup Required
SPF Record Generator
Build a valid SPF record for your domain in seconds. Add your mail servers, third-party senders, and choose your policy.
Basic Settings
Authorized Senders
No senders added yet. Use the buttons below or Quick Add above.
Policy (How to handle unauthorized senders)
Your SPF Record
0/10 DNS lookups11/255 chars
v=spf1 ~all
How to add this record:
- Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.)
- Add a new TXT record for your domain (host:
@) - Paste the SPF record above as the value
- Save and wait for DNS propagation (typically 5-60 minutes)
Frequently Asked Questions
What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Receiving mail servers check the SPF record to verify the sender is legitimate.
What is the 10 DNS lookup limit?
SPF records are limited to 10 DNS lookups total. Each "include", "a", "mx", "exists", and "redirect" mechanism counts as one lookup. Nested includes count too. Exceeding 10 lookups causes SPF to return a permanent error (PermError), which may cause email delivery issues.
Should I use ~all (SoftFail) or -all (Fail)?
Start with ~all (SoftFail) while testing to avoid accidentally blocking legitimate email. Once you've confirmed all your sending sources are listed, switch to -all (Fail) for maximum protection against spoofing.
Can I have multiple SPF records?
No. Having more than one SPF TXT record on a domain causes both to be invalid (PermError). If you need to authorize multiple sources, combine them into a single SPF record using "include" mechanisms.
How does SPF relate to DMARC?
DMARC builds on SPF (and DKIM) to provide domain-level email authentication. DMARC checks that the domain in the "From" header aligns with the domain that passed SPF. Without SPF, DMARC has less data to work with. Use our DMARC Generator to create a matching DMARC policy.
How do I set up SPF for Google Workspace?
For Google Workspace, use Quick Add above and select "Google Workspace" — it adds include:_spf.google.com automatically. The full record looks like: v=spf1 include:_spf.google.com ~all. If you also send via other services (Mailchimp, SendGrid), add those includes before the ~all.
How do I add SPF for Microsoft 365?
For Microsoft 365, select "Microsoft 365" in Quick Add — it inserts include:spf.protection.outlook.com. Full record: v=spf1 include:spf.protection.outlook.com ~all. For hybrid environments with both on-premises Exchange and M365, add both the include and your server's IP4 address.
What is the difference between SPF, DKIM, and DMARC?
SPF verifies the sending server's IP is authorized for your domain. DKIM adds a cryptographic signature to prove email content wasn't modified in transit. DMARC tells receiving servers what to do if SPF or DKIM fails and sends you aggregate reports. All three work together — scan your domain at IntoDNS.AI to check all three at once.
How long does it take for SPF records to propagate?
SPF record changes typically propagate within 5–60 minutes but can take up to 48 hours. After adding or updating your SPF record, verify it with IntoDNS.AI to confirm it's live and correctly configured globally.
What is SPF flattening and when do I need it?
SPF flattening converts all include mechanisms into explicit IP addresses, reducing DNS lookups. You need it when your record exceeds the 10-lookup limit. The downside: you must manually update IPs when providers change their sending ranges. Use the lookup counter in this generator to check if you need flattening.