SPF Record Generator

SPF (Sender Policy Framework) is one of the three pillars of email authentication, along with DKIM and DMARC. It works by publishing a DNS record that lists every server and service authorized to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks the SPF record and compares the sending IP against the authorized list. If there is no match, the email fails SPF and may be rejected or flagged as spam.

How SPF records are structured

An SPF record is a TXT record on your domain that starts with "v=spf1" and lists authorized senders using mechanisms like "include:" (for third-party services), "ip4:" (for specific IP addresses), and "a" or "mx" (for your domain's own servers). The record ends with a policy: "~all" (soft fail) or "-all" (hard fail) that tells receivers what to do with unauthorized senders. For example, a typical record might look like: v=spf1 include:_spf.google.com include:sendgrid.net ~all. This generator builds the record for you by letting you pick your providers from a list.

The 10 DNS lookup limit and how to stay under it

SPF has a hard limit of 10 DNS lookups per record. Every "include:" mechanism triggers a lookup, and some services use nested includes that count against your limit. Google Workspace alone uses 3-4 lookups. Add SendGrid, Mailchimp, and a few other services, and you can easily hit the ceiling. If you exceed 10 lookups, SPF validation fails entirely, which is worse than having no SPF record at all. This generator tracks your lookup count as you add services. If you are running into the limit, consider using IP addresses directly (ip4: mechanisms do not count as lookups) or look into SPF flattening services that resolve includes into IP addresses. Verify your final record with our SPF checker to confirm the lookup count.

Common SPF mistakes that break email authentication

The number one mistake is having multiple SPF records on the same domain. You can only have one SPF TXT record. If you have two, both are invalid and all SPF checks will fail. The second most common mistake is forgetting to include a sending service. If you use Google Workspace for employee email and SendGrid for marketing emails, both must be in the same SPF record. Third, many people set "-all" (hard fail) before confirming all legitimate senders are included, which causes their own emails to be rejected. Start with "~all" and monitor with DMARC reports before switching to hard fail.

Completing your email authentication setup

SPF alone is not enough. For full email authentication, you also need DKIM (which cryptographically signs your emails) and DMARC (which tells receivers what to do when SPF or DKIM fails). Generate your SPF record here, then set up DKIM through your email provider, and create a DMARC policy with our DMARC generator. After adding the records to your DNS, use our DNS propagation checker to verify they are live globally before sending any campaigns.