Free Tool
Create your SPF record in minutes
Build a valid SPF TXT record to authorize your email senders and improve deliverability. Our free SPF generator creates valid DNS records with real-time validation.
No signup required. Real-time validation.
Only a few providers require SPF includes. Most modern email services handle authentication via DKIM instead.
These providers require SPF includes in your domain's record.
These providers use their own Return-Path domain, so SPF checks happen against their servers. DMARC alignment is achieved via DKIM. No SPF include needed on your domain.
Use Custom MAIL FROM in AWS console
Domain Authentication via CNAME
SPF on sending subdomain only
DKIM + custom Return-Path CNAME
DKIM + tracking subdomain
DKIM-only alignment
DKIM-only alignment
DKIM-only alignment
SPF on SAP subdomain only
DKIM-only alignment
DKIM-only alignment
DKIM-only alignment
Comma-separated. Supports CIDR notation (e.g., 192.0.2.0/24).
Comma-separated. Supports CIDR notation (e.g., 2001:db8::/32).
RFC 7208 Warning: These mechanisms are discouraged because they consume DNS lookups and can cause reliability issues. Use ip4/ip6 instead when possible.
v=spf1 ~all
Warning: SPF records are limited to 10 DNS lookups. Reduce includes or use IP addresses directly.
@ or leave empty
Verification
Check your SPF configurationSPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a DNS TXT record that lists approved sending sources.
When a receiving mail server gets an email, it checks the SPF record of the sender's domain. If the sending server's IP address matches the SPF record, the email passes SPF authentication. This helps prevent email spoofing and improves deliverability.
Creating an SPF record is straightforward with our free SPF generator. Select your email platform (Google Workspace, Microsoft 365, or Zoho Mail), add any custom IP addresses for your own mail servers, and choose your policy. The tool automatically builds a valid SPF record that you can copy and paste into your DNS settings.
Important: Most transactional and marketing email providers (like SendGrid, Mailchimp, and Postmark) don't require SPF includes on your root domain. These services use their own Return-Path domain and achieve DMARC alignment through DKIM. Our generator shows you which providers are auto-configured, helping you avoid wasting your 10 DNS lookup limit.
An SPF record (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Without SPF, your emails may be marked as spam or rejected by providers like Gmail and Outlook. Since February 2024, Google and Yahoo require SPF for bulk senders.
Use our free SPF generator above. Enter your domain, select your email providers (like Google Workspace or Microsoft 365), add any custom IP addresses, choose your policy, and click copy. The tool will generate your SPF record automatically with proper syntax.
Yes! This SPF record builder is completely free with no signup required. You can create an SPF record in minutes and deploy it to your DNS provider immediately.
Add your DNS SPF record as a TXT record at your domain's root (@ or empty host). Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, Route53, etc.), create a new TXT record, and paste the generated value.
SPF records are limited to 10 DNS lookups. Each include, a, mx, ptr, exists, and redirect counts toward this limit. Exceeding it causes SPF to fail with a PermError. Our generator shows a real-time counter to help you stay within the limit.
~all (SoftFail): Tells receivers to accept but mark emails that fail SPF. Recommended when using DMARC, as DMARC provides the final policy decision.
-all (Fail): Tells receivers to reject emails that fail SPF. Strictest policy, but may cause issues with email forwarding.
?all (Neutral): No policy assertion. SPF result has no effect on delivery. Rarely used.
No! Our SPF wizard guides you through the process step-by-step. Just select your email providers from the presets, and we handle the syntax. Copy the result and paste it into your DNS settings.
SPF checks the Return-Path (envelope-from) domain, not the visible "From" address. Many modern email providers use their own domain in the Return-Path (e.g., mcsv.net for Mailchimp), so SPF checks happen against their servers, not yours.
For DMARC to pass, you need alignment. These providers achieve this through DKIM signing with your domain, which satisfies DMARC even when SPF doesn't align. This is why adding their SPF include to your root domain is unnecessary and wastes precious DNS lookups.
Providers that require SPF: Google Workspace, Microsoft 365, and Zoho Mail use your domain in the Return-Path, so SPF includes are required.
Learn more about Return-Path and provider SPF requirements →
Send a test email through the provider and inspect the email headers:
Look for the Return-Path header. If it shows your domain (e.g., [email protected]), you need SPF. If it shows the provider's domain (e.g., [email protected]), SPF is handled automatically and you should focus on DKIM setup instead.
Each email provider publishes official SPF configuration guides. Here are direct links to their documentation:
Email Platforms
Transactional Email
Marketing Email
Support & CRM
SPF is just one part of email authentication. Combine it with DKIM and DMARC for complete protection against spoofing and phishing.