SPF Record Generator
Generate online SPF TXT records from includes, IP ranges, A or MX mechanisms, redirect policy, lookup budget, and publish-ready DNS guidance.{{ result.summaryTitle }}
| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| # | Term | Lookup | Purpose | Copy |
|---|---|---|---|---|
| {{ row.order }} | {{ row.token }} | {{ row.lookup }} | {{ row.purpose }} |
| Priority | Check | Current reading | Action | Copy |
|---|---|---|---|---|
| {{ row.priority }} | {{ row.check }} | {{ row.current }} | {{ row.action }} |
By copying or publishing this embed code, you are responsible for how the tool appears and is used on your website.
- The embedded tool is provided for general informational and utility purposes only. It is not professional, legal, financial, medical, safety, or compliance advice.
- Results depend on the inputs, browser behavior, available data sources, and the current version of the tool. Review important results before relying on them.
- You are responsible for the surrounding page context, labels, instructions, privacy notices, accessibility, and any laws or policies that apply to your website.
- Do not embed the tool in a misleading, unlawful, harmful, or security-sensitive context.
- Simplified Tools may update, limit, suspend, or remove tools and embed behavior without prior notice.
- Analytics, network requests, cookies, browser storage, third-party services, and query parameters may apply depending on the tool and the embedding page.
If these terms do not work for your use case, do not embed the tool.
Introduction:
Sender Policy Framework records tell receiving mail systems which hosts are authorized to send mail for an envelope domain. The record is published as DNS TXT and starts with v=spf1, followed by mechanisms such as ip4, ip6, include, a, mx, redirect, and a final all policy.
SPF is easy to over-publish. Adding every service to the apex domain can mix transactional mail, marketing mail, and helpdesk systems into one reputation surface. Adding too many lookup-causing mechanisms can make SPF fail permanently during evaluation.
A valid SPF record does not prove that mail will pass DMARC by itself. SPF must align with the domain used in the message, and DKIM often carries the more stable authentication signal for forwarded or relayed mail.
Technical Details:
The generated record always starts with v=spf1. Direct IP entries become ip4: or ip6: mechanisms. Include domains become include: mechanisms. Domain A and MX switches add a and mx, while advanced host lists add scoped a: and mx: mechanisms.
| SPF element | DNS lookup cost | Important limit |
|---|---|---|
ip4 / ip6 | 0 | Stable when sender IP ranges are known. |
include | 1 plus nested policy lookups | Counts toward the SPF 10-lookup limit. |
a / mx | 1 each, with MX fan-out risk | Outcomes change when DNS answers change. |
redirect | 1 | Replaces the local all policy. |
all | 0 | Defines unmatched sender handling. |
The tool normalizes domains, mailbox-like input, URLs, IPv4 and IPv6 CIDR entries, and DNS zone mapping. It estimates direct lookup terms and include nesting with a configurable multiplier, warns near 8 of 10 planned terms, and treats more than 10 as a blocking budget problem. TXT output is chunked when needed but remains one DNS TXT record.
Everyday Use & Decision Guide:
Start from a sender preset only if it matches the real outbound mail inventory. Google Workspace, Microsoft 365, on-prem relays, parked domains, and central redirect policies have different risk profiles.
- Use direct
ip4andip6entries for stable outbound relay addresses. - Use
includefor maintained provider SPF policies, then check nested lookup headroom. - Use
~allduring rollout when the sender list is still being confirmed. - Use
-allonly when every legitimate sender path is covered. - Avoid
+allfor production because it authorizes any sender.
Publish exactly one SPF TXT record at the owner name. If one already exists, merge the mechanisms instead of adding a second record.
Step-by-Step Guide:
- Enter the domain or subdomain that receives mail as the envelope sender domain.
- Add provider includes, IPv4 ranges, IPv6 ranges, and domain A or MX switches as needed.
- Choose the final
allpolicy, or add a redirect domain for a central policy. - Set the DNS zone when publishing a subdomain from a parent zone.
- Review
Publish Planfor TXT owner, TTL, quoted TXT, and status. - Use
Mechanism AuditandRollout Checklistbefore changing DNS.
Interpreting Results:
Ready to publish means the generated syntax and planning checks are acceptable. Review before publish usually points to lookup headroom, chunking, normalization notes, or broad apex scope. Lookup budget exceeded should be fixed before DNS publication.
A short record is not automatically correct. The sender inventory matters more than the string length, and strict -all will reject omitted legitimate senders after propagation.
Worked Examples:
Microsoft 365 domain. A domain using only Microsoft 365 can start with include:spf.protection.outlook.com and a strict or soft policy depending on rollout confidence.
Parked domain. A domain that sends no mail should usually publish v=spf1 -all. The tool labels this as a no-mail posture rather than a sender coverage record.
Lookup pressure. A record with many vendor includes plus A and MX mechanisms can approach the 10-lookup limit. The audit should be simplified before production rollout.
FAQ:
Can I publish multiple SPF records?
No. SPF expects one record at an owner name. Multiple SPF TXT records cause evaluation errors.
What is the difference between ~all and -all?
~all is soft fail and is useful during rollout. -all is hard fail and should wait until all senders are covered.
Does SPF replace DKIM or DMARC?
No. SPF authorizes envelope senders. DKIM and DMARC still matter for authentication and alignment.
Glossary:
- Mechanism
- An SPF term that matches an authorized sender source.
- Lookup limit
- The SPF cap of 10 DNS-query-causing terms during evaluation.
- Redirect
- An SPF modifier that delegates unmatched evaluation to another policy.
- Soft fail
- The
~allpolicy for cautious rollout.