Free Tool
Create your SPF record in minutes
Build a valid SPF TXT record to authorize your email senders and improve deliverability. Our free SPF generator creates valid DNS records with real-time validation.
No signup required. Real-time validation.
Only a few providers require SPF includes. Most modern email services handle authentication via DKIM instead.
These providers require SPF includes in your domain's record.
These providers use their own Return-Path domain, so SPF checks happen against their servers. DMARC alignment is achieved via DKIM. No SPF include needed on your domain.
Use Custom MAIL FROM in AWS console
Domain Authentication via CNAME
SPF on sending subdomain only
DKIM + custom Return-Path CNAME
DKIM + tracking subdomain
DKIM-only alignment
DKIM-only alignment
DKIM-only alignment
SPF on SAP subdomain only
DKIM-only alignment
DKIM-only alignment
DKIM-only alignment
Comma-separated. Supports CIDR notation (e.g., 192.0.2.0/24).
Comma-separated. Supports CIDR notation (e.g., 2001:db8::/32).
RFC 7208 Warning: These mechanisms are discouraged because they consume DNS lookups and can cause reliability issues. Use ip4/ip6 instead when possible.
v=spf1 ~all
Warning: SPF records are limited to 10 DNS lookups. Reduce includes or use IP addresses directly.
@ or leave empty
Verification
Check your SPF configurationSPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a DNS TXT record that lists approved sending sources.
When a receiving mail server gets an email, it checks the SPF record of the sender's domain. If the sending server's IP address matches the SPF record, the email passes SPF authentication. This helps prevent email spoofing and improves deliverability.
SPF authentication happens during the email delivery process. Here's a step-by-step breakdown:
When your server sends an email, it connects to the recipient's mail server and identifies itself with an IP address.
The receiving server extracts the domain from the Return-Path (envelope sender) and queries DNS for the SPF record.
The receiver checks if the sending server's IP address is listed in the SPF record's authorized sources.
Based on the match and your policy (~all, -all), the server assigns a result: pass, fail, softfail, or neutral.
The SPF result is factored into the spam filtering decision, along with DKIM and DMARC results.
SPF is a foundational email authentication protocol. Here's why it's essential for your domain:
SPF declares which servers can send email for you. Without it, spammers can easily forge your email address and damage your reputation.
Major providers like Gmail, Microsoft, and Yahoo check SPF. Emails from domains without SPF are more likely to be flagged as spam.
Since February 2024, Google and Yahoo require SPF for bulk email senders. Without it, your marketing emails may be rejected.
SPF is one of two authentication methods (alongside DKIM) that DMARC uses to verify email legitimacy. For full protection, you need both.
When criminals spoof your domain, recipients blame your brand for the spam or phishing. SPF helps prevent this reputation damage.
With SPF in place and DMARC reporting enabled, you can see exactly who is sending email using your domain.
SPF is straightforward, but these common mistakes can cause authentication failures or delivery problems:
Each include, a, mx, ptr, exists, and redirect counts toward a 10-lookup limit. Exceeding it causes SPF to fail with PermError. Use ip4/ip6 instead of includes when possible.
Your domain should have exactly one SPF TXT record. Multiple records cause SPF to fail. Combine all mechanisms into a single record.
Providers like Mailchimp, SendGrid, and Postmark handle SPF via their own Return-Path. Adding their includes wastes lookups and provides no benefit.
The -all (hard fail) policy can cause legitimate email to be rejected if you haven't authorized all your sending sources. Start with ~all and DMARC monitoring.
If you have a web server that sends email (contact forms, notifications), make sure its IP address is included in your SPF record.
Creating an SPF record is straightforward with our free SPF generator. Select your email platform (Google Workspace, Microsoft 365, or Zoho Mail), add any custom IP addresses for your own mail servers, and choose your policy. The tool automatically builds a valid SPF record that you can copy and paste into your DNS settings.
Important: Most transactional and marketing email providers (like SendGrid, Mailchimp, and Postmark) don't require SPF includes on your root domain. These services use their own Return-Path domain and achieve DMARC alignment through DKIM. Our generator shows you which providers are auto-configured, helping you avoid wasting your 10 DNS lookup limit.
An SPF record (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Without SPF, your emails may be marked as spam or rejected by providers like Gmail and Outlook. Since February 2024, Google and Yahoo require SPF for bulk senders.
Use our free SPF generator above. Enter your domain, select your email providers (like Google Workspace or Microsoft 365), add any custom IP addresses, choose your policy, and click copy. The tool will generate your SPF record automatically with proper syntax.
Yes! This SPF record builder is completely free with no signup required. You can create an SPF record in minutes and deploy it to your DNS provider immediately.
Add your DNS SPF record as a TXT record at your domain's root (@ or empty host). Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, Route53, etc.), create a new TXT record, and paste the generated value.
SPF records are limited to 10 DNS lookups. Each include, a, mx, ptr, exists, and redirect counts toward this limit. Exceeding it causes SPF to fail with a PermError. Our generator shows a real-time counter to help you stay within the limit.
~all (SoftFail): Tells receivers to accept but mark emails that fail SPF. Recommended when using DMARC, as DMARC provides the final policy decision.
-all (Fail): Tells receivers to reject emails that fail SPF. Strictest policy, but may cause issues with email forwarding.
?all (Neutral): No policy assertion. SPF result has no effect on delivery. Rarely used.
No! Our SPF wizard guides you through the process step-by-step. Just select your email providers from the presets, and we handle the syntax. Copy the result and paste it into your DNS settings.
SPF checks the Return-Path (envelope-from) domain, not the visible "From" address. Many modern email providers use their own domain in the Return-Path (e.g., mcsv.net for Mailchimp), so SPF checks happen against their servers, not yours.
For DMARC to pass, you need alignment. These providers achieve this through DKIM signing with your domain, which satisfies DMARC even when SPF doesn't align. This is why adding their SPF include to your root domain is unnecessary and wastes precious DNS lookups.
Providers that require SPF: Google Workspace, Microsoft 365, and Zoho Mail use your domain in the Return-Path, so SPF includes are required.
Learn more about Return-Path and provider SPF requirements →
Send a test email through the provider and inspect the email headers:
Look for the Return-Path header. If it shows your domain (e.g., [email protected]), you need SPF. If it shows the provider's domain (e.g., [email protected]), SPF is handled automatically and you should focus on DKIM setup instead.
Each email provider publishes official SPF configuration guides. Here are direct links to their documentation:
Email Platforms
Transactional Email
Marketing Email
Support & CRM
SPF is just one part of email authentication. Combine it with DKIM and DMARC for complete protection against spoofing and phishing.