HomeTools › SPF Generator

SPF Record Generator

Build a valid SPF TXT record for your domain. Select your email providers, add custom IPs, choose your policy, and copy the result.

1Select your email providers

Choose every service that sends email on behalf of your domain.

Google Workspace
Microsoft 365
SendGrid
Mailgun
Amazon SES
Zendesk
Mailchimp
Freshdesk
HubSpot
Mandrill
Brevo (Sendinblue)
Intercom
Postmark
Zoho Mail
Resend
Freshservice

2Add custom IPs or includes (optional)

Add your own mail server IPs or third-party include domains not listed above.

IPv4 Addresses
IPv6 Addresses
Custom Include Domains

3Choose your failure policy

What should receiving servers do with email from unauthorized senders?

~all
Soft fail — accept but flag
Recommended
-all
Hard fail — reject unauthorized
?all
Neutral — no opinion

Your SPF Record

DNS Record Type: TXT
Host / Name: @
v=spf1 ~all
DNS lookups: 0 / 10

How to add this record

  1. Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.)
  2. Go to DNS Settings for your domain
  3. Add a new TXT record
  4. Set Name / Host to @ (or your domain name)
  5. Paste the generated SPF record as the Value
  6. Save — propagation can take up to 48 hours
🛡
Now set up DMARC SPF alone won't stop spoofing. Add a DMARC policy to enforce it →

Frequently Asked Questions

What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving mail servers check SPF to detect forged sender addresses and prevent email spoofing. Without SPF, anyone can send email pretending to be from your domain.
How do I add an SPF record to my domain?
Log in to your DNS provider (e.g., Cloudflare, GoDaddy, Namecheap), go to DNS settings, and add a new TXT record. Set the host/name to @ (or your domain) and paste the generated SPF value. Save and allow up to 48 hours for DNS propagation.
What's the difference between ~all and -all?
~all (soft fail) tells receiving servers to accept but flag emails from unauthorized senders — they'll likely land in spam. -all (hard fail) tells servers to reject unauthorized emails outright. Start with ~all to avoid accidentally blocking legitimate email, and switch to -all once you've confirmed all your senders are listed.
Can I have multiple SPF records on one domain?
No. You should only have one SPF TXT record per domain. Having multiple SPF records causes a PermError and most receiving servers will fail the check entirely. If you use multiple email services, combine them into a single SPF record with multiple include: statements — which is exactly what this generator does.
What is the 10 DNS lookup limit?
The SPF specification (RFC 7208) limits SPF records to 10 DNS lookups during evaluation. Each include:, a:, mx:, and redirect= mechanism counts as one lookup. Nested includes within those records also count. If your SPF record exceeds 10 lookups, it will return a PermError and email authentication will fail. This generator tracks your lookup count so you can stay within the limit.

Keep your email security monitored

This generator builds your SPF record. Scanward continuously monitors it — and alerts you if it breaks, gets removed, or if your email authentication degrades.

Monitor Your Domain Free →