SenderKit
FREESPF generator · no sign-up

SPF Record Generator

Pick the services that send mail for your domain, add any of your own IPs, and get a valid v=spf1 TXT record to paste into DNS — with a live count of the DNS lookups it costs.
Who sends email for your domain?
Also authorize
Your SPF record1/10 DNS lookups
TypeTXTHost / name@ (domain root)
Value
v=spf1 include:_spf.google.com ~all

How to use it

  1. Tick every service that sends email as your domain — Google Workspace, Microsoft 365, your ESP, and so on.
  2. Add any of your own mail servers by IP, or tick a/mx to authorize the addresses already in your DNS.
  3. Leave the policy on ~all while you confirm every sender is listed, then switch to -all.
  4. Copy the record and publish it as a TXT record on your domain root (host @).

What the mechanisms mean

  • include:— authorizes another domain’s SPF record (how you add a provider like SendGrid or SES).
  • ip4: / ip6: — authorize specific IPs or CIDR ranges. These cost no DNS lookup.
  • a / mx— authorize the hosts in your domain’s A or MX records. Each costs one lookup.
  • ~all / -all — the catch-all. Softfail marks unlisted senders suspicious; hardfail rejects them.

Stay under 10 DNS lookups

SPF caps the number of DNS lookups a record may trigger at 10 (RFC 7208 §4.6.4). Every include, a, mx, ptr and exists counts — and includes can nest, so one provider may cost several. Exceed the limit and receivers return PermError, which can fail SPF outright. The counter above tracks this as you build, but it can’t see lookups insidea provider’s record, so leave headroom.

Common SPF mistakes

  • Two SPF records. A domain must have exactly one v=spf1 record. Merge them into one.
  • Using +all. It authorizes the entire internet to send as you — never publish it.
  • SPF alone.SPF doesn’t survive forwarding and isn’t enough on its own. Pair it with DKIM and DMARC.

Frequently asked questions

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are allowed to send email for your domain. Receiving servers check it to help decide whether a message is legitimate or spoofed.

Where do I publish the SPF record?

Add it as a TXT record on the root of your domain (host '@' or the bare domain). Use exactly one SPF record per domain — multiple v=spf1 records is a misconfiguration that causes a PermError.

Why does the 10-lookup limit matter?

Each include, a, mx, ptr and exists mechanism in your SPF record triggers a DNS lookup, and SPF allows a maximum of 10 (RFC 7208). Go over and receivers return PermError, which can fail SPF entirely. This tool counts your lookups live so you can stay under the cap.

Should I end with -all or ~all?

Use ~all (softfail) while you're still confirming every legitimate sender is listed, then switch to -all (hardfail) once you're confident. -all tells receivers to treat unlisted senders as unauthorized; +all effectively disables SPF and should never be used.

Related
DMARC Record Generator

Once SPF and DKIM pass, add a DMARC policy to tell receivers what to do with mail that fails.

Email deliverability, handled

How SenderKit gets your transactional email to the inbox — authentication included.

Authentication set. Now ship the email.

SenderKit sends your transactional email, SMS, and push from one API — with SPF, DKIM, and DMARC handled for you. Free up to 3,000 messages a month.

Start for freeHow deliverability works

By creating an account, you agree to our Terms.