Skip to main content
fareof
Start free

Free Tool

SPF Record Generator

Select your email providers, add authorized IPs, and get a ready-to-publish SPF TXT record. No account needed.

Generated TXT Record

Host: @ (root of your domain)

v=spf1 -all

Common email senders

Domain names only — the include: prefix is added automatically.

IPv4 and IPv6 addresses and CIDR ranges. ip4: / ip6: prefixes are added automatically.

Unlisted senders (all qualifier)

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record published at your domain root that lists every mail server authorized to send email on your behalf. When a receiving mail server gets a message claiming to come from your domain, it resolves your SPF record and checks whether the sending IP is listed. If it is not, the message fails SPF.

SPF alone does not prevent phishing — an attacker can still fake the display name or use a lookalike domain. That is why SPF must be combined with DKIM and a DMARC policy that specifies what to do with failures. Together, the three protocols form the foundation of modern email authentication.

The SPF record format starts with v=spf1, lists authorized senders using mechanisms like include:, ip4:, and ip6:, and ends with an all qualifier that governs what happens to unlisted senders.

Common SPF mistakes to avoid

Multiple SPF records on the same domain

You must have exactly one TXT record starting with v=spf1. Multiple records cause a PermError. Merge all mechanisms into a single record.

Exceeding 10 DNS lookups

Each include:, a:, and mx: mechanism counts toward the 10-lookup limit. Use SPF flattening to convert include chains into IP addresses, or consolidate providers.

Using +all (pass all)

+all allows any server to send mail as your domain — effectively disabling SPF protection. Always use -all or at minimum ~all.

Forgetting to add new email providers

Every time you add a new ESP (marketing tool, CRM, transactional email service), update your SPF record to include their sending domain or IP range.

SPF record string exceeds 255 characters

DNS TXT records have a 255-character limit per string. Long records must be split into multiple quoted strings. Most DNS providers handle this automatically.

How to add your SPF record to DNS

Cloudflare

  1. Log in to dash.cloudflare.com and select your domain.
  2. Go to DNS → Records → Add record.
  3. Type: TXT | Name: @ (root) | Content: paste the generated record | TTL: Auto.
  4. If a v=spf1 record already exists, edit it instead of adding a second one. Click Save.

GoDaddy

  1. Log in to GoDaddy and open My Products → DNS.
  2. Find any existing TXT record starting with v=spf1 and edit it, or click Add.
  3. Type: TXT | Host: @ | TXT Value: paste the generated record | TTL: 1 hour.
  4. Click Save. Allow up to 1 hour for propagation.

Amazon Route 53

  1. Open the Route 53 console and select your hosted zone.
  2. Edit an existing SPF TXT record at the root, or click Create record.
  3. Record name: (leave blank for root) | Type: TXT | Value: wrap the generated record in double quotes.
  4. Click Create records. TTL of 300 seconds is recommended.

Complete your email authentication setup

SPF is one layer. Add DMARC to enforce policy and gain visibility across all senders.

Generate DMARC Record →Check DMARC Record →

Frequently asked questions

What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets a message claiming to be from your domain, it checks your SPF record. If the sending server is not listed, the message fails SPF.
What is the difference between -all and ~all?
-all (hard fail) instructs receivers to reject messages from unlisted servers. ~all (soft fail) marks them as suspicious but still delivers them. -all gives stronger protection and is recommended for production domains. ~all is useful during initial setup when you are not yet sure all legitimate senders are included.
Why is there a 10 DNS lookup limit?
The SPF specification (RFC 7208) limits SPF evaluation to 10 DNS lookups to prevent denial-of-service attacks on DNS infrastructure. Each include:, a:, and mx: mechanism counts toward this limit. Exceeding 10 lookups causes receivers to return a PermError.
What happens if I exceed the 10 lookup limit?
Receivers that strictly implement RFC 7208 return a PermError result, which can cause SPF failures even for legitimate mail. Use SPF flattening tools to convert include: chains into individual IP addresses, reducing the lookup count.
Can I have more than one SPF record?
No. You must have exactly one SPF TXT record per domain. Multiple TXT records starting with "v=spf1" on the same hostname cause a PermError. Combine all authorized senders into a single record.
Do I still need SPF if I have DKIM and DMARC?
Yes. DMARC requires at least one of SPF or DKIM to pass with alignment. Having both provides redundancy — if SPF breaks (for example when a message is forwarded), DKIM can still pass and satisfy DMARC.