Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Free SPF Record Generator

Build a valid SPF record in 60 seconds. Select your email providers, add custom IPs, choose your policy - copy the result directly into your DNS.

No signup required - runs entirely in your browser

Select your email providers

One per line. IPv4 or IPv6, CIDR ranges supported.

One per line. "include:" prefix is added automatically if missing.

Your SPF record:
v=spf1 -all
DNS Lookups: 0/ 10 limit

Lookup counts are estimates including nested includes. Actual counts may vary as providers update infrastructure. Use the SPF Checker to verify the exact count for your record after publishing.

What Happens After You Generate Your SPF Record?

1. Publish it as a TXT record at your domain apex. Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, AWS Route 53, etc.), create a new TXT record with @ as the host, and paste the generated SPF string as the value.

2. Verify it with our free SPF checker. After DNS propagation (typically 5-60 minutes), run a check to confirm the record is published correctly and the lookup count is under 10.

3. Monitor it over time. As you add new email services, the SPF record needs updating. Each new include: adds DNS lookups. When you approach the 10-lookup limit, use AutoSPF to flatten or switch to macros.

Provider Reference

DNS Lookup Cost by Provider

Provider Include mechanism Lookups
Google Workspaceinclude:_spf.google.com4
Microsoft 365include:spf.protection.outlook.com2
SendGridinclude:sendgrid.net5
Mailchimpinclude:servers.mcsv.net1
Amazon SESinclude:amazonses.com2
Salesforceinclude:_spf.salesforce.com2
HubSpotinclude:spf.hubspot.com2
Brevoinclude:spf.brevo.com2
Mailguninclude:mailgun.org5
Zoho Mailinclude:zoho.com4
Postmarkinclude:spf.mtasv.net1
SparkPostinclude:sparkpostmail.com1
Custom IP (ip4/ip6)ip4:x.x.x.x0

Lookup counts are approximate and may change when providers update their infrastructure. Use the SPF checker for live counts.

Why It Matters

Why Use the Free SPF Record Generator?

Correct Syntax, Every Time

The generator builds the record in the exact order receivers expect - v=spf1 first, mechanisms next, a single all qualifier last - so a stray space, duplicate tag, or missing qualifier never silently breaks authentication.

Live DNS Lookup Counting

Every provider you add shows its DNS lookup cost as you build, so you see the 10-lookup ceiling coming instead of discovering it as a PermError after the record is already published.

No Guesswork on Includes

Select a provider and the correct include mechanism is filled in for you - no hunting through help docs for the right _spf hostname or wondering whether you copied it correctly.

Runs Entirely in Your Browser

The record is built client-side and never leaves your machine. Nothing to install, no signup, and no data sent to any server.

How SPF Records Work

Understanding SPF Record Syntax

This SPF record generator assembles a valid Sender Policy Framework record from the senders you select, then hands you a single line to publish in DNS. Knowing what that line contains makes it far easier to maintain - so here is what the generator is building and why each part matters.

The Anatomy of an SPF Record

Every SPF record is a single DNS TXT record made of three parts: a version tag, one or more mechanisms, and a closing qualifier. A complete record looks like this:

v=spf1 include:_spf.google.com ip4:203.0.113.10 -all

The v=spf1 tag identifies the entry as SPF and must come first - a record that starts with anything else is ignored. Each mechanism in the middle authorizes a group of senders, and the trailing -all tells receivers how to treat every sender that wasn't matched. The generator always emits these in the correct order, because a record without a leading v=spf1 or a closing all qualifier is treated as invalid.

The Mechanisms You Can Add

Each row you add to the generator becomes one of these mechanisms:

  • include: - authorizes another domain's senders (how you add Google Workspace, Microsoft 365, SendGrid, and most SaaS providers). Each include costs at least one DNS lookup, and often more, because it can pull in further includes.
  • ip4: and ip6: - authorize a specific IP address or CIDR range directly. These cost zero DNS lookups, which makes them the cheapest way to add a known mail server.
  • a and mx - authorize the hosts in your domain's A or MX records. Each costs one lookup.
  • all - the catch-all that must come last, paired with a qualifier that sets your policy.

Choosing Your Policy: -all, ~all, or ?all

The qualifier in front of all decides what receivers do with mail that isn't authorized by any other mechanism:

  • -all (hardfail) - reject unauthorized mail outright. This is the goal once every legitimate sender is in the record.
  • ~all (softfail) - accept but mark unauthorized mail as suspicious. Use this while you roll out SPF and confirm nothing legitimate is being missed.
  • ?all (neutral) - make no assertion at all. Offers no protection and is rarely the right choice.

A safe rollout is to generate with ~all, watch your reports for a week or two, then regenerate with -all once you're confident. Avoid +all entirely - it authorizes the entire internet to send as your domain.

Common Mistakes the Generator Prevents

  • More than one SPF record. A domain may publish only one v=spf1 TXT record; a second one makes both invalid. Combine every sender into the single record the generator produces.
  • Exceeding the 10-lookup limit. Adding too many include: mechanisms pushes you past the cap and triggers PermError. The live counter flags this before you publish.
  • Using ptr. The ptr mechanism is deprecated and slow; the generator relies on include, ip4, and ip6 instead.
  • Missing the all qualifier or splitting a string past the 255-character TXT limit - both quietly break the record.

Staying Under the 10 DNS Lookup Limit

The SPF specification caps DNS lookups at ten per evaluation (RFC 7208, section 4.6.4). Every include, a, mx, and exists mechanism counts, and nested includes count recursively - so a handful of SaaS providers can quietly blow past ten. When your generated record is over the limit (or close to it), AutoSPF flattens the includes into a compact record and re-scans every 15 minutes, keeping you under the cap without losing any authorized sender. See too many DNS lookups for the full explanation.

SPF, DKIM, and DMARC Work Together

A generated SPF record is one of three email authentication standards. SPF verifies the sending server, DKIM signs the message so receivers can prove it wasn't altered, and DMARC ties them together and tells receivers what to do on failure. Gmail, Yahoo, and Microsoft now require all three from bulk senders, so pair this generator with the free DMARC checker and DKIM lookup for full coverage.

Publish, Then Verify

Once you generate the record, publish it as a TXT record at your domain apex (host @), wait for DNS to propagate - usually 5 to 60 minutes - then confirm it with the free SPF checker to make sure it resolves and stays under ten lookups. Remember that subdomains don't inherit the parent's SPF record: any subdomain that sends mail needs its own record, which you can build the same way.

Generated a record that exceeds 10 lookups?

AutoSPF automatically flattens your includes and re-scans every 15 minutes. Enterprise SLAs, SSO/SAML, audit logs, and DNS rollback included.

Rated 5/5 on G2 · Trusted since 2018

What Our Customers Say

"AutoSPF Flattens SPF Records Seamlessly & Keeps Changes Logged - I am quite pleased with the product"

It does what it promises to do, and does it very well. I appreciate that it keeps a log of changes made, which prevents many mistakes. A client's SPF record would have way too many lookups, but AutoSPF makes that problem go away. The length of the SPF record is typically not the issue; it's the amount of lookups in the record that are. AutoSPF "flattens" the record, automatically expanding the defined lookups to IP addresses or ranges. And it auto-updates the record when the un-flattened lookups change.
PJ

Peter J.

President · Small-Business (50 or fewer emp.)

"Helped us go beyond capacity"

AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
VU

Verified User

Financial Services · Mid-Market (51-1000 emp.)