SPF Record Generator

Building an SPF record by hand is error-prone. A single syntax mistake, an extra space, or a misplaced mechanism can invalidate the entire record and silently break your email deliverability. The InboxTooling SPF Record Generator helps you construct a syntactically correct, RFC 7208-compliant SPF record without touching raw DNS zone files.

How the SPF Generator Works

The generator walks you through each component of an SPF record step by step. You specify your authorized sending sources, and the tool assembles a valid TXT record ready to publish in your DNS.

Input Options

• Domain IP addresses: Add ip4 and ip6 mechanisms for servers that send mail directly from known IPs.
• MX-based authorization: Include the mx mechanism to authorize all hosts listed in your domain's MX records.
• Third-party includes: Add include mechanisms for external services such as Google Workspace (_spf.google.com), Microsoft 365 (spf.protection.outlook.com), SendGrid, Mailchimp, Amazon SES, and others.
• A record authorization: Use the a mechanism if your web server also sends transactional email.
• Qualifier selection: Choose between -all (hard fail), ~all (soft fail), or ?all (neutral) for unauthorized senders.

Output

The generator produces a single-line TXT record value, for example:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net -all

Copy this value and publish it as a TXT record at your domain root in your DNS configuration.

Best Practices for SPF Record Generation

Stay Under 10 DNS Lookups

Every include, a, mx, and redirect mechanism triggers a DNS lookup during SPF evaluation. RFC 7208 Section 4.6.4 caps this at 10. The generator tracks your lookup count in real time so you can restructure before publishing. If you are near the limit, consider consolidating IP ranges into ip4/ip6 mechanisms, which do not count as lookups.

Use Hard Fail When Ready

Start with ~all (soft fail) during initial setup so you can monitor without blocking legitimate mail. Once you have confirmed that all authorized senders are listed, switch to -all (hard fail). This tells receiving servers to reject any mail that does not match your SPF record, providing stronger protection against domain spoofing.

One Record Per Domain

DNS permits only a single SPF record per domain. Publishing two or more results in a permerror, and most receivers will treat the SPF check as failed. If you need to combine multiple sources, merge them into one record rather than adding a second TXT entry.

After You Publish

Once your SPF record is live, validate it immediately using the SPF Check tool. DNS propagation typically completes within minutes for new records, though TTL values on existing records may cause delays.

With SPF in place, the next step is to run a Full Report on your domain. This evaluates SPF alongside DKIM and DMARC to ensure all three protocols are configured and aligned. SPF handles server authorization, but without DKIM signatures and a DMARC policy, your authentication stack is incomplete.

Common Pitfalls

• Forgetting a sending service: Audit every system that sends email from your domain, including transactional platforms, CRMs, and ticketing systems.
• Using the ptr mechanism: This is deprecated in RFC 7208 due to performance and reliability concerns. Avoid it.
• Overly broad ranges: Authorizing a /16 when you only need a /28 expands your attack surface unnecessarily.

FAQ

How do I create an SPF record for my domain?

Use the SPF Generator to build a valid record step by step. Enter your domain, add your authorized sending sources (IP addresses, MX servers, and third-party services), choose a qualifier, and the tool produces a ready-to-publish TXT record. Copy the output and add it as a TXT record at your domain root in your DNS provider's control panel.

What should I include in my SPF record for Google Workspace or Microsoft 365?

For Google Workspace, add include:_spf.google.com as a mechanism. For Microsoft 365, add include:spf.protection.outlook.com. If you use both services on the same domain, include both mechanisms in a single SPF record. The SPF Generator has preset options for these providers so you do not need to remember the exact include values.

How do I add multiple email services to a single SPF record?

List each service as a separate include: mechanism within one TXT record. For example, v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com -all authorizes three services. Remember that each include counts toward the 10 DNS lookup limit defined in RFC 7208, so consolidate where possible by using ip4/ip6 mechanisms for services that provide static IP ranges.

Should I use soft fail (~all) or hard fail (-all) in my SPF record?

Start with ~all (soft fail) when you first publish your SPF record. Soft fail tells receiving servers that unauthorized mail should be treated with suspicion but not outright rejected, giving you time to verify that all legitimate senders are accounted for. Once you have confirmed everything is working correctly using the SPF Check tool, switch to -all (hard fail) for stronger protection against spoofing.

What happens if I publish two SPF records for the same domain?

Publishing multiple SPF records on the same domain causes a permerror result, which most receiving servers treat as an SPF failure. DNS allows only one SPF record per domain. If you need to authorize additional senders, merge them into your existing record rather than creating a second TXT entry. Use the SPF Generator to rebuild a consolidated record that covers all your sending sources.

Stay on top of your email authentication. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.