Back to Validator

Help Topics

Quick Actions

→ Back to Validator

SPF Record Generator - Complete Guide

Create perfect SPF records with the world's most advanced SPF generator - Prevent the 10-lookup limit and optimize email deliverability

Table of Contents

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain, helping prevent email spoofing and phishing attacks.

SPF works by publishing a specially formatted TXT record in your domain's DNS. When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is authorized.

Example SPF Record:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all

How Our SPF Generator Works

Our SPF generator, built by DigiCert, is the world's most advanced SPF record creation tool. Here's what makes it unique:

1. Intelligent Provider Detection

Simply select your email providers from our comprehensive list. We automatically include the correct SPF entries for Google Workspace, Microsoft 365, SendGrid, Mailchimp, and dozens more.

2. Real-time DNS Lookup Counter

Our unique feature shows exactly how many DNS lookups your SPF record will consume. We expand all includes and calculate the total, helping you stay under the 10-lookup limit.

3. Automatic Optimization

We automatically flatten nested includes where possible and suggest optimizations to reduce lookups while maintaining security.

4. Live Diff View

See exactly what changes you're making with our visual diff tool. Green highlights show additions, red strikethrough shows removals.

SPF Mechanisms Explained

SPF records use various mechanisms to define authorized senders. Understanding these is crucial for creating effective records:

include:

References another domain's SPF record. Counts as one DNS lookup plus any lookups in the included record.

Example: include:_spf.google.com

ip4: / ip6:

Authorizes specific IP addresses or ranges. No DNS lookup required - most efficient mechanism.

Examples: ip4:192.0.2.1 or ip6:2001:db8::/32

a / mx

Authorizes servers listed in A or MX records. Each counts as one DNS lookup.

Examples: a:mail.example.com or mx

all

Matches everything. Always placed at the end with a qualifier.

Examples: -all (fail), ~all (softfail), ?all (neutral)

Qualifiers: Each mechanism can be prefixed with + (pass), - (fail), ~ (softfail), or ? (neutral). Default is + if omitted. See RFC 7208 Section 4.6 for details.

The 10-Lookup Limit

RFC 7208 Section 4.6.4 mandates that SPF evaluation must not exceed 10 DNS lookups. This prevents denial-of-service attacks but can be challenging for organizations using multiple email services.

What Counts as a Lookup:

  • include: mechanisms
  • a and mx mechanisms
  • exists: mechanisms
  • ptr mechanisms (deprecated)
  • Lookups within included records (recursive)

What Doesn't Count:

  • ip4: and ip6: mechanisms
  • all mechanism
  • The initial TXT record lookup

Warning: Exceeding 10 lookups results in a "permerror" and your emails may be rejected. Our generator helps you stay within this limit.

Best Practices

  1. Start with ~all, move to -all: Begin with softfail (~all) during testing, then switch to fail (-all) once confident.
  2. Use IP addresses when possible: IP mechanisms don't count toward the lookup limit and are faster to evaluate.
  3. Minimize includes: Each include adds lookups. Consider flattening if approaching the 10-lookup limit.
  4. Keep it simple: Complex SPF records are harder to maintain and more likely to break.
  5. Monitor regularly: Providers change their SPF records. Monitor yours to ensure it stays valid.
  6. Document your senders: Maintain a list of all services sending email for your domain.
  7. Use subdomains: Consider using subdomains for different email streams (e.g., marketing.example.com).

Common Mistakes to Avoid

❌ Multiple SPF Records

Only one SPF record is allowed per domain. Multiple records cause permanent errors.

❌ Incorrect Syntax

Common errors: Missing "v=spf1", incorrect quotes, typos in mechanisms.

❌ Using +all

This allows anyone to send email for your domain, defeating the purpose of SPF.

❌ Forgetting Services

Missing legitimate senders causes email delivery failures.

❌ Not Monitoring Changes

Provider SPF records change. Your includes may break without notice.

Testing Your SPF Record

After creating your SPF record with our generator, follow these steps to ensure it works correctly:

  1. Publish the record: Add the TXT record to your domain's DNS
  2. Wait for propagation: DNS changes can take up to 48 hours
  3. Use our DNS Lookup Tool: Verify the record is published correctly
  4. Test with our validator: Check syntax and lookup count
  5. Send test emails: Verify legitimate senders pass SPF checks
  6. Monitor email logs: Look for SPF failures in your email reports

Pro Tip: Use our DNS Lookup Tool to verify your SPF record is published correctly and check how many lookups it consumes.

Related Tools & Resources

DMARC Generator

Build DMARC policies that work with SPF

DNS Lookup Tool

Verify your SPF record is published

DNS Records Guide

Learn about TXT records and DNS