Superkabe LogoSuperkabe
100% Free · No Signup Required

SPF Record Generator

Configure authorized sending servers, IP addresses, and third-party includes to generate a properly formatted SPF TXT record for your domain.

Generated SPF Record

0/10 lookups
v=spf1 -all

Publish this as a TXT record at @ (root) of your domain's DNS.

Your SPF record has no authorized senders. Add IPs, includes, or enable A/MX mechanisms.

Quick Add Common Providers

IPv4 Addresses

Add individual IP addresses or CIDR ranges (e.g. 192.0.2.0/24)

IPv6 Addresses

Add IPv6 addresses or CIDR ranges (e.g. 2001:db8::/32)

Include Domains

Reference another domain's SPF record. Each include adds 1 DNS lookup.

Mechanisms & Policy

Hard fail tells receiving servers to reject unauthorized emails. Soft fail marks them but still delivers. Neutral takes no action.

How SPF Records Work

SPF (Sender Policy Framework) is a DNS-based email authentication protocol defined in RFC 7208. When a receiving mail server gets an email claiming to be from your domain, it queries your domain's DNS for a TXT record starting with v=spf1. This record contains a list of mechanisms that define which servers are authorized to send email on your behalf.

The receiving server evaluates each mechanism in order from left to right. If the sending server's IP matches a mechanism, SPF returns the qualifier associated with that mechanism (pass, fail, softfail, or neutral). If no mechanism matches, the record's default qualifier (the all mechanism at the end) applies.

SPF alone does not prevent spoofing — it only checks the envelope sender (MAIL FROM), not the visible From: header. This is why SPF works best combined with DKIM and DMARC, which together provide full authentication coverage.

SPF Mechanisms Explained

ip4:

Matches a specific IPv4 address or CIDR range. Does not count toward the 10-lookup limit because no DNS query is needed.

ip4:192.0.2.1 or ip4:192.0.2.0/24

ip6:

Matches a specific IPv6 address or CIDR range. Like ip4, does not count toward the lookup limit.

ip6:2001:db8::1 or ip6:2001:db8::/32

include:

References another domain's SPF record. The receiving server performs a recursive SPF check on the included domain. Counts as 1 DNS lookup.

include:_spf.google.com

a

Matches the IP addresses returned by your domain's A (and AAAA) record. Counts as 1 DNS lookup.

a (resolves your domain's A record)

mx

Matches the IP addresses of your domain's MX (mail exchange) servers. Counts as 1 DNS lookup plus 1 per MX hostname resolved.

mx (resolves your domain's MX records)

all

Matches everything. Always placed at the end of the record as the catch-all for any sender not matched by earlier mechanisms.

-all (hard fail), ~all (soft fail), ?all (neutral)

SPF Qualifiers

Each mechanism can be prefixed with a qualifier that determines how a match is treated. If no qualifier is specified, + (pass) is the default.

+Pass

The sender is authorized. This is the default if no qualifier is specified.

-Fail (Hard Fail)

The sender is not authorized. Receiving servers should reject the email.

~SoftFail

The sender is probably not authorized. Email is accepted but marked as suspicious.

?Neutral

No assertion is made about the sender. Equivalent to having no SPF record for that mechanism.

SPF Best Practices

  • Use -all (hard fail) in production

    Hard fail provides the strongest protection against unauthorized senders. Only use ~all during initial setup when you are still identifying all legitimate sending sources.

  • Stay under 10 DNS lookups

    Each include:, a, mx, ptr, exists, and redirect mechanism counts as one lookup. Exceeding 10 causes a permerror that most receivers treat as a fail. Use ip4: and ip6: where possible since they do not require DNS lookups.

  • Never use +all

    The +all qualifier authorizes every server on the internet to send email as your domain. This completely defeats the purpose of SPF and may cause receiving servers to flag your domain as a spoofing risk.

  • Publish only one SPF record per domain

    Multiple SPF records cause a permerror. If you need to authorize additional senders, modify your existing record rather than adding a new one.

  • Keep records under 255 characters per string

    DNS TXT records have a 255-character string limit. Long SPF records can be split into multiple strings within a single record, but it is better to keep them concise by removing unused mechanisms.

  • Combine with DKIM and DMARC

    SPF alone only authenticates the envelope sender, not the visible From: header. Deploy all three protocols together for comprehensive email authentication.

Frequently Asked Questions

What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record published at your domain that lists the mail servers and IP addresses authorized to send email on your behalf. Receiving servers check this record to verify that incoming mail claiming to come from your domain actually originates from an authorized source.
What does the -all vs ~all qualifier mean?
The -all qualifier (hard fail) tells receiving servers to reject emails from unauthorized sources. The ~all qualifier (soft fail) marks unauthorized emails as suspicious but still delivers them. For production domains, -all provides the strongest protection against spoofing. Use ~all only during initial setup or testing.
Why is there a 10 DNS lookup limit for SPF?
RFC 7208 limits SPF records to 10 DNS lookups to prevent denial-of-service attacks and excessive DNS traffic. Each include:, a, mx, ptr, and redirect mechanism counts as one lookup. The ip4: and ip6: mechanisms do not count because they do not require DNS resolution. Exceeding 10 lookups causes a permerror, which most receivers treat as an SPF failure.
Can I have multiple SPF records on one domain?
No. RFC 7208 specifies that a domain must have at most one SPF record. If a domain publishes multiple SPF TXT records, receiving servers should return a permerror. If you need to authorize additional senders, add them to your existing SPF record using include: or ip4:/ip6: mechanisms rather than creating a second record.
How do I add a third-party email service to my SPF record?
Each email service provider publishes an SPF include domain. Add it to your record using the include: mechanism. For example, Google Workspace uses include:_spf.google.com and SendGrid uses include:sendgrid.net. Check your provider's documentation for their specific SPF include domain. Each include counts as one DNS lookup toward the 10-lookup limit.

Related Tools

SPF Record Lookup

Check if your domain has a valid SPF record and see all authorized senders.

Use tool

DKIM Record Generator

Generate a DKIM TXT record with your public key for email signing.

Use tool

DMARC Record Generator

Create a DMARC policy to control how unauthenticated emails are handled.

Use tool

Related Reading

SPF, DKIM & DMARC Explained — Complete Setup Guide

Step-by-step DNS authentication setup for outbound email teams. Learn how SPF, DKIM, and DMARC work together to protect your sender reputation.

Read guide

Need Continuous SPF Monitoring?

This generator creates your SPF record, but DNS records can break after provider changes, migrations, or accidental edits. Superkabe monitors SPF, DKIM, and DMARC across all your sending domains automatically and alerts you before misconfigurations damage deliverability.

Start free trial

No credit card required