Build a correct SPF record from your real sending sources: your own servers, the includes your email platforms publish, and specific IP ranges, with the right all policy and a live count of the 10 DNS lookups SPF allows. It runs free in your browser, with no signup and nothing stored.
SPF record is valid
v=spf1 include:_spf.google.com ~all Publish this as a single TXT record on your sending domain. A domain may have only one SPF record.
Generated a record? Confirm it resolves with the SPF checker, then see where your mail lands with a free inbox placement test.
An SPF (Sender Policy Framework) record is a single DNS TXT record that lists which servers may send email for your domain. This generator assembles that record from plain choices: your own a and mx hosts, the include mechanisms your email providers give you, and any fixed IP addresses, then closes it with the all qualifier that sets the policy for everyone else. As you build, it counts the DNS lookups your record will trigger, since SPF allows at most 10, and validates the result with the same checks as our SPF checker. Publish the output as one TXT record on your sending domain to help meet the Gmail, Yahoo, and Microsoft authentication requirements.
Each platform you send through (Google Workspace, Microsoft 365, your ESP) publishes an include value such as _spf.google.com or sendgrid.net. Add one per line and the generator turns each into an include: mechanism.
Turn these on only if your domain's own web host (a) or mail servers (mx) also send mail. Each costs one of your 10 DNS lookups, so leave them off unless you really send from those hosts.
List any fixed IP addresses or CIDR ranges you send from directly. Unlike includes, ip4 and ip6 cost no DNS lookups, so prefer them for static sending IPs.
This sets the policy for sources not listed: -all hard fails unauthorized mail (recommended), ~all soft fails it (a safe default while you confirm every sender), and ?all is neutral. The generator never emits +all, which would authorize anyone.
The live counter adds up the include, a, and mx mechanisms in your record. Stay at or under 10, or receivers return a PermError and SPF fails. Flatten or remove unused includes if you go over.
Each include, a, and mx mechanism costs a DNS lookup, and nested includes add their own. Past 10, evaluation returns a PermError and SPF fails. Replace heavy includes with the specific ip4 ranges they cover, or drop providers you no longer use.
A domain may have only one TXT record that starts with v=spf1. If you send through several providers, combine them into one record with multiple include mechanisms rather than adding separate records.
Without a closing all mechanism the policy is incomplete and DMARC has nothing firm to align against. End the record with ~all while testing, then -all once every sender is confirmed.
If you send from a static IP, list it as ip4 or ip6 rather than wrapping it in an include. Direct IP mechanisms cost no lookups and keep you under the limit.
Ending a record with +all tells receivers that any server may send as your domain, which disables SPF and invites spoofing. Use -all or ~all instead.