SPF Record Generator
Build a valid SPF TXT record by selecting your email providers. Supports Google Workspace, Microsoft 365, SendGrid, and more. Live DNS lookup counter included.
Quick Answer
How do I generate an SPF record?
Select your email providers (Google Workspace, Microsoft 365, SendGrid, etc.), add any custom mail server IPs, choose softfail (~all) as your policy, and copy the generated record. Add it as a TXT record in your DNS with the name @ or your domain. A basic Google Workspace SPF record looks like: v=spf1 include:_spf.google.com ~all
Email providers
One domain per line. Each counts as 1 DNS lookup.
IPv4 or IPv6, one per line. IPs do not count toward the 10-lookup limit.
Fail policy
I send email from my own server
Adds a:yourdomain.com to authorize your mail server
Your SPF Record
Add as a TXT record in your DNS
v=spf1 ~all(select providers or add IPs to build your record)
DNS lookup usage
SPF enforces a maximum of 10 DNS lookups
0/10
How to add this record
- 1Log in to dash.cloudflare.com and select your domain.
- 2Click DNS in the left sidebar.
- 3Click Add Record.
- 4Set Type to TXT.
- 5Set Name to @ (represents your root domain).
- 6Paste your SPF record into the Content field.
- 7Set TTL to Auto and click Save.
DNS record values
About this tool
This SPF record generator creates a valid SPF TXT record from the options you select. Choose from eight common email service providers, enter any custom includes or IP addresses, pick a fail policy, and the tool assembles a correctly formatted record that you can paste directly into your DNS. It also tracks your DNS lookup count in real time, so you never accidentally exceed the 10-lookup limit that causes SPF PermErrors.
SPF is one of three core email authentication standards alongside DKIM and DMARC. A missing or incorrect SPF record increases the chance of your emails landing in spam, and leaves your domain open to spoofing. This tool is useful for domain owners setting up email for the first time, IT administrators migrating between email providers, developers configuring transactional email services, and anyone troubleshooting email deliverability problems.
How it works
- 1
Select your email providers
Check the boxes for every service you use to send email. Each selected provider adds one include: mechanism to your record.
- 2
Add custom includes or IPs
If you use services not listed, enter their include domain in the custom includes box. Add individual server IP addresses in the IPs field -- they do not count toward the lookup limit.
- 3
Choose your policy
Pick softfail (~all) to start. It marks suspicious email without blocking it, giving you time to find any missing senders before switching to hardfail (-all).
- 4
Copy and add to DNS
Click Copy next to the generated record, then add it as a TXT record in your DNS provider with the name @ and TTL set to 3600 or Auto.
SPF mechanisms
| Mechanism | Syntax example | Lookup cost | When to use |
|---|---|---|---|
| include | include:_spf.google.com | 1 lookup | Authorize a third-party email service |
| ip4 | ip4:192.168.1.1 | 0 lookups | Authorize a specific IPv4 address or range |
| ip6 | ip6:2001:db8::1 | 0 lookups | Authorize a specific IPv6 address |
| a | a:mail.example.com | 1 lookup | Authorize your own mail server by hostname |
| mx | mx:example.com | 1 lookup | Authorize servers listed in your MX records |
| ptr | ptr:example.com | 1 lookup | Authorize by reverse DNS -- not recommended |
SPF policy comparison
| Policy | Symbol | What happens to unauthorized email | Recommendation |
|---|---|---|---|
| Softfail | ~all | Accepted but tagged as suspicious | Recommended starting point |
| Hardfail | -all | Rejected by receiving mail server | Use when all senders are confirmed |
| Neutral | ?all | No statement -- treated as no SPF | Not recommended |
| Allow all | +all | Any server may send as your domain | Never use in production |