SPF Record Generator

Build a valid SPF TXT record by selecting your email providers. Supports Google Workspace, Microsoft 365, SendGrid, and more. Live DNS lookup counter included.

Free Tool

Quick Answer

How do I generate an SPF record?

Select your email providers (Google Workspace, Microsoft 365, SendGrid, etc.), add any custom mail server IPs, choose softfail (~all) as your policy, and copy the generated record. Add it as a TXT record in your DNS with the name @ or your domain. A basic Google Workspace SPF record looks like: v=spf1 include:_spf.google.com ~all

Email providers

One domain per line. Each counts as 1 DNS lookup.

IPv4 or IPv6, one per line. IPs do not count toward the 10-lookup limit.

Fail policy

I send email from my own server

Adds a:yourdomain.com to authorize your mail server

Your SPF Record

Add as a TXT record in your DNS

v=spf1 ~all(select providers or add IPs to build your record)

DNS lookup usage

SPF enforces a maximum of 10 DNS lookups

0/10

How to add this record

  1. 1Log in to dash.cloudflare.com and select your domain.
  2. 2Click DNS in the left sidebar.
  3. 3Click Add Record.
  4. 4Set Type to TXT.
  5. 5Set Name to @ (represents your root domain).
  6. 6Paste your SPF record into the Content field.
  7. 7Set TTL to Auto and click Save.

DNS record values

TypeTXT
Name@ or yourdomain.com
TTL3600 or Auto
Valuethe generated record

About this tool

This SPF record generator creates a valid SPF TXT record from the options you select. Choose from eight common email service providers, enter any custom includes or IP addresses, pick a fail policy, and the tool assembles a correctly formatted record that you can paste directly into your DNS. It also tracks your DNS lookup count in real time, so you never accidentally exceed the 10-lookup limit that causes SPF PermErrors.

SPF is one of three core email authentication standards alongside DKIM and DMARC. A missing or incorrect SPF record increases the chance of your emails landing in spam, and leaves your domain open to spoofing. This tool is useful for domain owners setting up email for the first time, IT administrators migrating between email providers, developers configuring transactional email services, and anyone troubleshooting email deliverability problems.

How it works

  1. 1

    Select your email providers

    Check the boxes for every service you use to send email. Each selected provider adds one include: mechanism to your record.

  2. 2

    Add custom includes or IPs

    If you use services not listed, enter their include domain in the custom includes box. Add individual server IP addresses in the IPs field -- they do not count toward the lookup limit.

  3. 3

    Choose your policy

    Pick softfail (~all) to start. It marks suspicious email without blocking it, giving you time to find any missing senders before switching to hardfail (-all).

  4. 4

    Copy and add to DNS

    Click Copy next to the generated record, then add it as a TXT record in your DNS provider with the name @ and TTL set to 3600 or Auto.

SPF mechanisms

MechanismSyntax exampleLookup costWhen to use
includeinclude:_spf.google.com1 lookupAuthorize a third-party email service
ip4ip4:192.168.1.10 lookupsAuthorize a specific IPv4 address or range
ip6ip6:2001:db8::10 lookupsAuthorize a specific IPv6 address
aa:mail.example.com1 lookupAuthorize your own mail server by hostname
mxmx:example.com1 lookupAuthorize servers listed in your MX records
ptrptr:example.com1 lookupAuthorize by reverse DNS -- not recommended

SPF policy comparison

PolicySymbolWhat happens to unauthorized emailRecommendation
Softfail~allAccepted but tagged as suspiciousRecommended starting point
Hardfail-allRejected by receiving mail serverUse when all senders are confirmed
Neutral?allNo statement -- treated as no SPFNot recommended
Allow all+allAny server may send as your domainNever use in production

Frequently asked questions

What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. It helps receiving mail servers verify that incoming email from your domain is legitimate and reduces spam and spoofing.
What is the difference between softfail and hardfail in SPF?
A softfail (~all) means emails from unauthorized servers are accepted but marked as suspicious. A hardfail (-all) means emails from unauthorized servers are rejected outright. Most organizations start with softfail and move to hardfail after confirming all legitimate sending sources are included.
What is the SPF 10 DNS lookup limit?
SPF records are limited to 10 DNS lookups during evaluation. Each include, a, mx, and ptr mechanism counts as one lookup. Exceeding 10 lookups causes a PermError which can result in legitimate emails failing SPF. Use ip4 and ip6 mechanisms where possible as they do not count toward the limit.
Can I have multiple SPF records for one domain?
No. You must have exactly one SPF TXT record per domain. Having two SPF records causes a PermError and breaks SPF authentication for your domain. If you need to authorize multiple services, combine them into a single record using multiple include statements.
How do I add an SPF record in Cloudflare?
In Cloudflare, go to your domain, click DNS, then Add Record. Set Type to TXT, Name to @ (or your domain), and paste your SPF record in the Content field. Set TTL to Auto and save. Changes propagate within minutes.
How long does it take for an SPF record to propagate?
SPF records typically propagate within 15 to 30 minutes for most DNS providers. Full global propagation can take up to 48 hours in rare cases. You can verify propagation using the Vortenza SPF/DKIM/DMARC Checker tool.
Do I need SPF if I use Google Workspace?
Yes. Even with Google Workspace, you need to add an SPF record to your domain DNS. The minimum record is: v=spf1 include:_spf.google.com ~all. Without it, some receiving servers may mark your emails as spam even when sent through Gmail.
What happens if I have no SPF record?
Without an SPF record, receiving mail servers cannot verify if your email is legitimate. This increases the likelihood of your emails landing in spam folders and makes your domain vulnerable to spoofing attacks where others send email pretending to be from your domain.

Related guides

Related tools