Free Tool
Create your SPF record in minutes
Build a valid SPF TXT record to authorize your email senders and improve deliverability. Our free SPF generator creates valid DNS records with real-time validation.
No signup required. Real-time validation.
Start with providers that clearly require root-domain SPF includes. Many other providers are setup-dependent: default modes often rely on DKIM, while custom Return-Path/MAIL FROM modes may require SPF on a sender subdomain.
These providers commonly require SPF includes on your main domain record.
Use this only when provider documentation explicitly requires an SPF include for your chosen setup (for example custom Return-Path or custom MAIL FROM).
Comma-separated. Includes count toward the 10 DNS lookup limit and may belong on a sender subdomain.
Default setups often use provider-owned Return-Path domains and DKIM. If you enable custom Return-Path or MAIL FROM, SPF may be required (often on a subdomain).
Default MAIL FROM uses amazonses.com; custom MAIL FROM needs SPF on that subdomain
Automatic CNAME mode usually handles SPF; custom return-path/manual mode may need SPF
SPF usually needed on your sending domain/subdomain
Default provider Return-Path; custom Return-Path supports SPF alignment
DKIM-first setup; some domain modes still require SPF include
Usually DKIM-based; check docs when custom bounce domain is enabled
Usually DKIM-based; SPF needs depend on plan and sending mode
Email sending domain setup can include SPF requirements
SPF on SAP subdomain only
Can require SPF include when sending on behalf of your domain
SPF may be needed depending on mailbox/authentication setup
Usually provider SPF; custom return-path option can affect SPF alignment
Comma-separated. Supports CIDR notation (e.g., 192.0.2.0/24).
Comma-separated. Supports CIDR notation (e.g., 2001:db8::/32).
RFC 7208 Warning: These mechanisms are discouraged because they consume DNS lookups and can cause reliability issues. Use ip4/ip6 instead when possible.
v=spf1 ~all
Warning: SPF records are limited to 10 DNS lookups. Reduce includes or use IP addresses directly.
@ or leave empty
Verification
Check your SPF configurationSPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a DNS TXT record that lists approved sending sources.
When a receiving mail server gets an email, it checks the SPF record of the sender's domain. If the sending server's IP address matches the SPF record, the email passes SPF authentication. This helps prevent email spoofing and improves deliverability.
SPF authentication happens during the email delivery process. Here's a step-by-step breakdown:
When your server sends an email, it connects to the recipient's mail server and identifies itself with an IP address.
The receiving server extracts the domain from the Return-Path (envelope sender) and queries DNS for the SPF record.
The receiver checks if the sending server's IP address is listed in the SPF record's authorized sources.
Based on the match and your policy (~all, -all), the server assigns a result: pass, fail, softfail, or neutral.
The SPF result is factored into the spam filtering decision, along with DKIM and DMARC results.
SPF is a foundational email authentication protocol. Here's why it's essential for your domain:
SPF declares which servers can send email for you. Without it, spammers can easily forge your email address and damage your reputation.
Major providers like Gmail, Microsoft, and Yahoo check SPF. Emails from domains without SPF are more likely to be flagged as spam.
Since February 2024, Google and Yahoo require SPF for bulk email senders. Without it, your marketing emails may be rejected.
SPF is one of two authentication methods (alongside DKIM) that DMARC uses to verify email legitimacy. For full protection, you need both.
When criminals spoof your domain, recipients blame your brand for the spam or phishing. SPF helps prevent this reputation damage.
With SPF in place and DMARC reporting enabled, you can see exactly who is sending email using your domain.
SPF is straightforward, but these common mistakes can cause authentication failures or delivery problems:
Each include, a, mx, ptr, exists, and redirect counts toward a 10-lookup limit. Exceeding it causes SPF to fail with PermError. Use ip4/ip6 instead of includes when possible.
Your domain should have exactly one SPF TXT record. Multiple records cause SPF to fail. Combine all mechanisms into a single record.
Many providers default to their own Return-Path, so adding includes without checking docs wastes lookups. If custom Return-Path or MAIL FROM is enabled, SPF may still be required on that sender domain.
The -all (hard fail) policy can cause legitimate email to be rejected if you haven't authorized all your sending sources. Start with ~all and DMARC monitoring.
If you have a web server that sends email (contact forms, notifications), make sure its IP address is included in your SPF record.
Creating an SPF record is straightforward with our free SPF generator. Select providers that require root-domain SPF includes, add any custom IP addresses for your own mail servers, optionally add provider-specific includes from official docs, and choose your policy. The tool automatically builds a valid SPF record that you can copy and paste into your DNS settings.
Important: For many transactional and marketing providers, root-domain SPF includes are optional in default setups because they use provider-owned Return-Path domains and rely on DKIM for DMARC alignment. If you enable custom Return-Path or custom MAIL FROM, SPF may be required on the sending subdomain.
An SPF record (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Without SPF, your emails may be marked as spam or rejected by providers like Gmail and Outlook. Since February 2024, Google and Yahoo require SPF for bulk senders.
Use our free SPF generator above. Enter your domain, select your email providers (like Google Workspace or Microsoft 365), add any custom IP addresses, choose your policy, and click copy. The tool will generate your SPF record automatically with proper syntax.
Yes! This SPF record builder is completely free with no signup required. You can create an SPF record in minutes and deploy it to your DNS provider immediately.
Add your DNS SPF record as a TXT record at your domain's root (@ or empty host). Log into your DNS provider (GoDaddy, Cloudflare, Namecheap, Route53, etc.), create a new TXT record, and paste the generated value.
SPF records are limited to 10 DNS lookups. Each include, a, mx, ptr, exists, and redirect counts toward this limit. Exceeding it causes SPF to fail with a PermError. Our generator shows a real-time counter to help you stay within the limit.
~all (SoftFail): Tells receivers to accept but mark emails that fail SPF. Recommended when using DMARC, as DMARC provides the final policy decision.
-all (Fail): Tells receivers to reject emails that fail SPF. Strictest policy, but may cause issues with email forwarding.
?all (Neutral): No policy assertion. SPF result has no effect on delivery. Rarely used.
No! Our SPF wizard guides you through the process step-by-step. Just select your email providers from the presets, and we handle the syntax. Copy the result and paste it into your DNS settings.
SPF checks the Return-Path (envelope-from) domain, not the visible "From" address. Many modern email providers use their own domain in the Return-Path (e.g., mcsv.net for Mailchimp), so SPF checks happen against their servers, not yours.
For DMARC to pass, you need alignment. Default provider setups usually achieve this via DKIM signing with your domain, which often means no extra SPF include on your root domain.
Important: This is setup-dependent. If you enable custom Return-Path or MAIL FROM on your own domain/subdomain, SPF can be required for that sender domain.
Learn more about Return-Path and provider SPF requirements →
Send a test email through the provider and inspect the email headers:
Look for the Return-Path header. If it shows your domain or a subdomain you control (e.g., [email protected]), you likely need SPF for that sender domain. If it shows the provider's domain (e.g., [email protected]), SPF is usually handled by the provider and DKIM becomes your primary alignment path.
Each email provider publishes official SPF configuration guides. Here are direct links to their documentation:
Email Platforms
Transactional Email
Marketing Email
Support & CRM
SPF is just one part of email authentication. Combine it with DKIM and DMARC for complete protection against spoofing and phishing.
We use cookies to enhance your experience, analyze site traffic, and for marketing purposes. You can choose which cookies to allow. Learn more in our Cookie Policy.
Manage your cookie preferences below. Essential cookies are always active as they are required for the website to function.
Required for the website to function. Cannot be disabled.
Help us understand how visitors interact with our website.
Used to measure advertising effectiveness and show relevant ads.
Learn more about how we use cookies in our Cookie Policy.