SPF Record Generator

Pick the services that send email for your domain and get a correct SPF record — with the 10-lookup limit tracked for you. Free, no signup.

Who sends email for this domain?

Each service adds its documented include mechanism.

From your provider's docs, e.g. spf.example-esp.com — commas or spaces between multiple. Some services (Klaviyo, HubSpot, Mailchimp Transactional) authenticate through their own CNAME records instead of a shared include — check their DNS settings page.

How should receivers treat everyone else?

Your SPF record

0/10 DNS lookups

Publish as a TXT record at the domain root. One SPF record per domain — if one exists, merge into it instead of adding another.

Host / Name

yourdomain.com (or @)

Value (TXT)

v=spf1 ~all

Record type: TXT · ip4/ip6 mechanisms don't count against the 10-lookup limit.

Nothing is authorized yet — this record would tell receivers that no server may send for your domain. Select your email providers above (or tick the parked-domain option if that's intended).

After you publish

  1. Add the TXT record at your DNS host.
  2. Verify it with the free SPF checker.
  3. SPF alone doesn't stop spoofing — pair it with DKIM and a DMARC policy. Generate one with the DMARC record generator.

What is an SPF record generator?

An SPF record is a TXT entry in your DNS listing every server allowed to send email for your domain. Receivers check it on every delivery; get it wrong and legitimate mail lands in spam — or the record is ignored entirely. The two mistakes that cause most SPF failures are publishing a second record instead of merging into the first, and quietly exceeding the 10-DNS-lookup limit as includes accumulate. This generator assembles the record from the services you actually use and tracks the lookup count as you build. When it's published, validate it with the SPF checker, and see the step-by-step SPF setup guide for provider-specific instructions.

Email authentication knowledge base

List every service that sends email for your domain — your mailbox provider (Google Workspace or Microsoft 365), marketing platforms, transactional senders, your CRM, help desk, and any mail server you run. Each has a documented SPF mechanism, usually an include. Select them in the generator, choose how receivers should treat everything else (~all to start), and publish the result as a TXT record at your domain root. The hard part isn't syntax — it's remembering every service. DMARC aggregate reports are how you find the ones you forgot.

No. The SPF standard requires exactly one — if receivers find two v=spf1 TXT records, the result is a permerror and both are effectively ignored, which is worse than having neither. If your domain already has an SPF record, merge the new mechanisms into it: keep one v=spf1 at the front, combine the include and ip mechanisms, and keep a single all qualifier at the end.

Receivers stop evaluating an SPF record after 10 DNS lookups; anything more returns permerror, which mailbox providers treat as a failure. The mechanisms a, mx, include, exists, redirect and ptr each cost one lookup — and includes often trigger further lookups inside themselves, so a record that lists 6 includes can silently blow past the limit. ip4 and ip6 mechanisms cost nothing, which is why the fix for a too-long record is usually replacing includes with your providers' published IP ranges or using a flattening service.

~all (softfail) asks receivers to accept but mark unlisted senders — it's the safe choice while you're still discovering every service that sends for you. -all (hard fail) tells receivers to refuse unlisted senders outright; move to it once your DMARC reports have shown weeks of clean, complete coverage. Avoid ?all: it's equivalent to having no opinion, offers zero protection, and reads as neglect. Whatever qualifier you choose, real spoofing protection comes from pairing SPF with DMARC, because SPF alone isn't checked against the From address people see.

Google Workspace documents include:_spf.google.com and Microsoft 365 documents include:spf.protection.outlook.com — one include each, both built into this generator. Everything Google or Microsoft sends for you is covered by that single mechanism, so you don't add individual server IPs for them. If you also send through a marketing or transactional platform, its include goes in the same single record, not a second one.

No — and this surprises people. SPF validates the hidden envelope sender (Return-Path), not the From address displayed to recipients, so a spoofer can pass SPF for their own domain while showing yours in the From line. Closing that gap is exactly what DMARC does: it requires the SPF-validated domain to align with the visible From domain and lets you tell receivers to reject mail that fails. Publish SPF, then add DKIM and a DMARC policy — that trio is what actually stops spoofing.

v=spf1 -all — a record that authorizes nothing. Domains that send no email are favorite spoofing targets precisely because nobody is watching them, and mailbox providers explicitly recommend publishing a deny-everything SPF record on them. Tick the parked-domain option in the generator to get it, and pair it with a p=reject DMARC record for complete lockdown.

Not every service uses a shared SPF include anymore. Klaviyo, HubSpot, Mailchimp Transactional (Mandrill), Constant Contact, and SparkPost, for example, authenticate through CNAME records or account-specific values that their dashboard generates for you — adding a generic include for them would do nothing. Check your provider's domain-authentication or DNS-settings page: if it gives you an include value, paste it into the Other includes field above; if it gives you CNAME records, publish those instead and leave SPF alone.

Run it through the SPF checker, which fetches the live record, validates the syntax, counts the DNS lookups, and flags problems like multiple records or unresolvable includes. Then send a test message to a Gmail address and use Show original to confirm spf=pass. For ongoing certainty across every sending service, DMARC aggregate reports show you SPF results as every receiver in the world sees them.