SPF Record Generator

Sender preset:

Choose Custom, Google, Microsoft, relay, parked-domain, or redirect starter values.

Domain:

Use a bare domain such as example.com or mail.example.com; omit protocol and paths.

Include domains:

Enter one provider domain per line or comma; omit the include: prefix.

Authorized IPv4 CIDRs:

Use IPv4 addresses or CIDR ranges, for example 203.0.113.0/24.

Authorized IPv6 CIDRs:

Use IPv6 addresses or CIDR ranges, for example 2001:db8:100::/48.

Allow domain MX hosts:

Turn on only if the domain's MX hosts are legitimate outbound senders.

Allow domain A/AAAA hosts:

Turn on only if the domain's web hosts are also valid outbound mail sources.

Terminal policy:

Use ~all during rollout; switch to -all only after every sender path is covered.

Additional A mechanisms:

Enter one host or host/prefix per line, for example mail.example.com/24.

Additional MX mechanisms:

Enter one delegated domain per line or comma, such as relay.example.net.

Redirect domain:

Enter only the target policy domain, for example _spf.example.net.

Include depth factor:

Use 1.0x for direct terms, higher values to reserve headroom for nested vendor includes.

DNS zone:

Leave blank for direct publish; use a parent zone such as example.com for subdomains.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

#	Term	Lookup	Purpose	Copy
{{ row.order }}	{{ row.token }}	{{ row.lookup }}	{{ row.purpose }}

Priority	Check	Current reading	Action	Copy
{{ row.priority }}	{{ row.check }}	{{ row.current }}	{{ row.action }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Email domains often send from more places than one DNS record remembers. Staff mail may leave through Microsoft 365 or Google Workspace, forms may use a web host, alerts may use an on-premises relay, and newsletters may come from a marketing provider. Sender Policy Framework, or SPF, gives receivers a DNS-published list of the hosts and delegated policies that are allowed to send for an SMTP envelope domain.

The envelope domain is not always the visible From address a person sees in a mail client. SPF evaluates the MAIL FROM identity, and in some cases the HELO identity, used by the sending server during SMTP delivery. DMARC then checks whether the authenticated SPF domain, or a valid DKIM signing domain, aligns with the visible From domain. That is why a message can pass SPF and still fail DMARC.

Envelope domain: The SMTP identity SPF evaluates, often later visible as the return-path domain.
Authorized source: An IP range, provider include, A host, MX host, or redirected SPF policy that can match a sender.
Terminal policy: The final all decision for senders that did not match any earlier SPF term.
Lookup budget: The limit on DNS-query-causing SPF terms during receiver evaluation.

Diagram showing SPF evaluation from envelope domain to authorized sources, one DNS TXT record, and receiver result.

SPF policy design is mostly inventory work. Provider includes are convenient because a service can maintain its own sender ranges, but each include costs at least one lookup and may hide more lookups behind it. A and MX mechanisms are compact, but they authorize whatever those DNS answers resolve to later. Direct IP ranges are easier to audit, but they must be updated whenever the sending network changes.

A sound SPF record is singular, specific, and maintainable. It belongs at the owner name receivers query, it should be the only TXT record at that owner name that starts with v=spf1, and it should leave enough lookup headroom for provider changes and future mail streams.

How to Use This Tool:

Start from a sender inventory, then use the generated TXT value, publish target, and audit rows as a DNS change checklist.

Enter Domain as the envelope domain that will publish SPF. Use a bare domain or subdomain such as example.com or mail.example.com, without a protocol, path, or mailbox address.
Choose a Sender preset only when it matches your real sender inventory. The Google, Microsoft, combined-provider, on-prem relay, dual-stack, parked-domain, and redirect starters are editable drafts, not proof of coverage.
Add provider policy domains in Include domains without the include: prefix. Add stable relay addresses or networks in Authorized IPv4 CIDRs and Authorized IPv6 CIDRs.
Turn on Allow domain MX hosts or Allow domain A/AAAA hosts only when those DNS records identify approved outbound senders. Use Additional A mechanisms and Additional MX mechanisms for named hosts or delegated domains that need separate review rows.
A and MX mechanisms follow live DNS answers. If a host or mail-exchanger changes later, SPF authorization can change with it.
Set a Redirect domain only when unmatched SPF evaluation should move to a centrally maintained policy you control. When redirect is present, the generated record uses redirect= and omits the selected terminal all policy.
Choose Terminal policy for rollout. ~all is safer while you confirm senders, -all is stricter after coverage is proven, ?all is neutral, and +all should not be used for normal production domains.
Use the Include depth factor as a planning reserve when provider includes may contain nested SPF work.
Open Publish Plan and copy the Host / name field, Owner FQDN, SPF TXT value, and Quoted TXT strings in the form your DNS provider expects.
Review Mechanism Audit and Rollout Checklist before publication. If the status shows Fix inputs before publish, Lookup budget exceeded, or Record size needs review, resolve that warning before changing DNS.

Interpreting Results:

Read Owner FQDN and SPF TXT value together. A valid-looking TXT value at the wrong owner name will not authorize the intended envelope domain, and two separate SPF TXT records at the same owner name can produce a permanent SPF error.

The readiness status checks the current draft for syntax, owner mapping, lookup estimate, size, and policy cautions. It does not prove that every sender was inventoried, that live vendor includes are under the DNS lookup limit, or that DMARC alignment will pass for real messages.

SPF status values and follow-up checks
Status	Meaning	Follow-up check
Ready to publish	The draft has acceptable owner mapping, syntax, lookup estimate, and TXT size.	Publish one TXT record and verify live DNS after propagation.
Review before publish	The draft is usable but has a lookup, chunking, normalization, or scope caution.	Read the matching Rollout Checklist row before changing DNS.
Lookup budget exceeded	Direct or estimated DNS-query-causing terms exceed the SPF limit of 10.	Reduce includes, A/MX mechanisms, or redirect dependency before publication.
Record size needs review	The SPF payload is large enough to merit simplification.	Shorten the sender list and keep chunks inside one TXT record.
No mail should send	The draft represents a parked-domain deny-all policy.	Use this only when the domain or subdomain truly sends no mail.
Fix inputs before publish	A domain, zone, IP range, or mechanism entry prevents a reliable publish target.	Correct the field named by the blocking note and recheck the owner name.

The most common false confidence is a clean record that omits a real sender. Before moving from ~all to -all, send representative mail from every platform and inspect authentication results for both SPF and DMARC alignment.

Technical Details:

An SPF record begins with v=spf1, then lists mechanisms and modifiers that are evaluated left to right. Direct ip4: and ip6: mechanisms match addresses without extra DNS work. include, a, mx, and redirect can require DNS queries, so they consume the SPF lookup budget defined by the standard.

The final policy handles senders that did not match earlier terms. -all is a hard fail, ~all is a soft fail, ?all is neutral, and +all passes any remaining sender. A redirect changes the ending because unmatched evaluation moves to another SPF policy, so the local all term is not emitted when a redirect target is used.

Formula Core:

The lookup estimate separates direct lookup terms from a planning reserve for nested provider includes.

L_{est} = L_{direct} - I + ⌈ I \times F ⌉

L_est is the estimated lookup total, L_direct is the number of direct lookup-causing terms, I is the number of include mechanisms, and F is the include depth factor. For example, 2 includes, 1 MX switch, and a factor of 2 gives 3 - 2 + ceil(2 x 2) = 5 estimated lookup terms. Values above 10 are blocked, while 8 through 10 are treated as review territory.

Rule Core:

SPF mechanisms and validation boundaries
Term	What it authorizes	Lookup cost	Review boundary
`ip4:` and `ip6:`	Specific IPv4 and IPv6 sender addresses or CIDR ranges.	0	Best for stable relay IPs that can be audited directly.
`include:`	A provider-maintained SPF policy for another domain.	1 direct term plus any nested policy work.	Useful for SaaS senders, but provider nesting can exhaust the limit.
`a` and `a:`	Addresses returned by A or AAAA records for the domain or named host.	1 direct term each.	Authorization follows future DNS answer changes.
`mx` and `mx:`	Addresses behind MX hosts for the domain or delegated domain.	1 direct term each, with MX expansion risk.	Use only when inbound mail exchangers are also approved outbound senders.
`redirect=`	Another SPF policy that evaluates unmatched senders.	1 direct term.	Use only when the target policy is maintained for the same sender population.

TXT packaging is separate from SPF logic. One DNS TXT record can contain multiple quoted strings, and those strings are concatenated by receivers. The generator splits long output into quoted strings of no more than 255 characters, warns when more than one quoted string is needed, and treats payloads above 450 characters as needing simplification.

SPF record validation and packaging checks
Area	Accepted behavior	Output affected
Domain and zone	Bare DNS names are normalized and checked; a parent zone must contain the publish domain.	Host / name field, Owner FQDN, and DNS line.
IPv4 CIDR	IPv4 addresses and optional prefixes from `/0` through `/32`.	Accepted entries become `ip4:` terms.
IPv6 CIDR	IPv6 addresses and optional prefixes from `/0` through `/128`.	Accepted entries become `ip6:` terms.
Duplicate terms	Repeated normalized entries are removed.	Mechanism Audit shows the generated term set once.
TTL guidance	The publish plan recommends a 3600-second TTL for rollout.	DNS line and publish checklist.

The generated checks do not query live DNS. Lookup counts, chunking, and policy cautions are planning aids derived from the draft. Live validation still belongs after publication, especially when vendor includes, MX expansion, redirects, or DMARC alignment can change the receiver's final result.

Accuracy and Privacy Notes:

This is a draft generator, not a live DNS auditor. It builds the SPF value, owner name, host label, quoted TXT strings, lookup estimate, and rollout warnings from the values entered on the page. It does not resolve provider includes, test propagation, inspect message headers, or prove that receivers will accept the final policy.

Check live DNS after publication and confirm that only one SPF TXT record exists at the owner name.
Provider includes and MX answers can change after a vendor or administrator updates DNS.
Copied or downloaded reports can reveal domain names, IP ranges, vendors, and mail-routing choices.
After the page loads, draft generation runs in the browser and does not require sending the SPF record to a lookup service.

Worked Examples:

Roll out Microsoft 365 before strict enforcement

A domain using Microsoft 365 starts from the Microsoft preset, keeps Domain as example.com, and confirms that Include domains contains spf.protection.outlook.com. During migration, ~all gives time to check logs and DMARC results before switching to -all.

Keep a parked domain from authorizing mail

A domain that never sends mail uses the parked-domain preset. With no includes, IP ranges, A mechanisms, MX mechanisms, or redirect target, the generated value is a deny-all SPF policy and the status reads No mail should send.

Replace broad A/MX authorization

A self-hosted setup that enables both domain A and MX mechanisms may look compact, but it follows future DNS changes. If the relay addresses are stable, replacing those mechanisms with explicit ip4: or ip6: terms gives a policy that is easier to audit.

Fix a blocking zone mismatch

If Domain is mail.example.com but DNS zone is example.net, the draft is blocked because the zone does not contain the publish domain. Changing the zone to example.com lets the publish plan produce host mail and owner mail.example.com.

FAQ:

Can I publish more than one SPF record for the same owner name?

No. Merge all SPF terms into one TXT record that starts with v=spf1. Multiple quoted strings are acceptable only when they are parts of that same DNS TXT record.

Why is the lookup budget near the limit with only a few includes?

Each include costs at least one direct lookup and can reference more SPF policies behind it. The Include depth factor reserves headroom for that hidden nesting.

Should I use A or MX mechanisms?

Use them only when those host or mail-exchanger addresses are intended outbound senders. Explicit ip4: and ip6: terms are usually clearer when relay addresses are stable.

Why does redirect remove the all policy?

A redirect sends unmatched SPF evaluation to another policy. A non-empty Redirect domain emits redirect= and omits the local terminal all term.

Does SPF passing mean DMARC passes?

Not always. DMARC requires SPF or DKIM authentication to align with the visible From domain. Check real message headers after publication, especially when third-party senders use their own return-path domains.

Glossary:

Sender Policy Framework: A DNS-based email authentication policy that authorizes sending hosts for an envelope domain.
Envelope domain: The SMTP MAIL FROM, return-path, or HELO identity that SPF evaluates.
Owner FQDN: The full DNS name where the SPF TXT record should be published.
Include: An SPF mechanism that evaluates another domain's SPF policy as part of the current policy.
Redirect: An SPF modifier that sends unmatched evaluation to another policy and replaces the local terminal action.
Terminal policy: The final all decision for senders that did not match earlier mechanisms.
DMARC alignment: The relationship between an authenticated SPF or DKIM domain and the visible From domain.

References:

RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1, RFC Editor, April 2014.
RFC 9989: Domain-Based Message Authentication, Reporting, and Conformance (DMARC), RFC Editor, May 2026.
Set up SPF, Google Workspace Admin Help.
Set up SPF to identify valid email sources for your Microsoft 365 domain, Microsoft Learn.

SPF Record Generator

{{ result.summaryTitle }}

Generated result

How to Use This Tool:

Interpreting Results:

Technical Details:

Formula Core:

Rule Core:

Accuracy and Privacy Notes:

Worked Examples:

Roll out Microsoft 365 before strict enforcement

Keep a parked domain from authorizing mail

Replace broad A/MX authorization

Fix a blocking zone mismatch

FAQ:

Glossary:

References:

SPF Record Generator

{{ result.summaryTitle }}

Generated result

Introduction:

How to Use This Tool:

Interpreting Results:

Technical Details:

Formula Core:

Rule Core:

Accuracy and Privacy Notes:

Worked Examples:

Roll out Microsoft 365 before strict enforcement

Keep a parked domain from authorizing mail

Replace broad A/MX authorization

Fix a blocking zone mismatch

FAQ:

Glossary:

References: