Skip to main content

SPF Record Generator

Pick the email senders you use. We'll build a correct SPF TXT record and count the DNS lookups it'll cost so you don't trip the 10-lookup RFC cap.

Email senders you use

Permits your inbound mail servers to also send. +1 DNS lookup.

Permits your web server's IP to send mail. +1 DNS lookup.

Typed IPs cost zero DNS lookups. Preferred over include: when the sender is static.

Frequently asked questions

How do I build an SPF record?

Pick every service that sends mail for your domain (Google Workspace, Microsoft 365, your ESP, your own servers) and this generator combines their includes and IPs into one valid v=spf1 record ending in a fail qualifier. Paste the result as a TXT record at your domain apex.

Can I have more than one SPF record?

No. There must be exactly one SPF TXT record per domain. If you already have one, edit it to add the new sender rather than publishing a second record. Two SPF records cause a PermError and SPF stops working.

Should I end with ~all or -all?

Use ~all (soft fail) while you are still discovering senders, then move to -all (hard fail) once every legitimate sender is listed. -all is the enforcement end state; ~all leaves SPF effectively unenforced because receivers still accept unlisted senders.

How do I avoid the 10-lookup limit?

Add only the senders you actually use, prefer ip4/ip6 over deeply nested includes, and run the result through the SPF checker. If you are over 10, the SPF flattener resolves includes to raw IPs.


Want ongoing monitoring?

This tool is a one-shot check. PhishFence watches your domain with automated hourly monitoring (daily on Free) for DMARC changes, new lookalike registrations, and spoofing attempts.

Start free monitoring