SPF Record Generator
Build a valid SPF TXT record for your domain. Add IP addresses, mail servers, and third-party senders — get the exact DNS value to publish.
Generate Your SPF Record
Add IPv4 or IPv6 addresses authorized to send mail for this domain.
Add third-party sending services like Google Workspace or SendGrid.
What Is an SPF Record and Why Does It Matter?
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a recipient server receives a message claiming to come from your domain, it queries your SPF record to verify the sending IP is listed. If the IP is not authorized, the message may be rejected or marked as spam.
SPF is one of the three foundational email authentication standards, alongside DKIM and DMARC. Without it, anyone can forge your domain in the envelope sender field, making your domain a target for phishing and spoofing attacks. Most modern mailbox providers and enterprise mail gateways check SPF before accepting mail.
Understanding SPF Record Syntax
Every SPF record starts with v=spf1, which declares the version. After that, you add mechanisms listing authorized senders. The record ends with a qualifier called the all mechanism.
- ip4:x.x.x.x — authorizes a single IPv4 address
- ip4:x.x.x.x/24 — authorizes an IPv4 CIDR range
- ip6:::1 — authorizes an IPv6 address
- include:domain.com — imports the SPF record of another domain (used for third-party senders)
- a— authorizes the domain's A record IP
- mx— authorizes the domain's MX record IPs
SPF Policy Qualifiers Explained
The qualifier at the end of your SPF record controls what receiving servers do with mail from unauthorized senders.
| Qualifier | Behavior |
|---|---|
| +all | All senders pass. Never use this — it defeats SPF entirely. |
| ~all | Softfail — unauthorized mail is accepted but flagged. Use while testing. |
| -all | Hard fail — unauthorized mail is rejected. Use in production. |
| ?all | Neutral — no policy stated. Rarely useful. |
Common SPF Include Directives
If you use third-party email services, you need to add their authorized sending domains using include: directives. Here are the most commonly used ones:
- Google Workspace:
include:_spf.google.com - Microsoft 365:
include:spf.protection.outlook.com - Mailchimp:
include:servers.mcsv.net - SendGrid:
include:sendgrid.net - Mailgun:
include:mailgun.org
SPF Lookup Limits and How to Stay Under Them
SPF has a hard limit of 10 DNS lookups during evaluation. Every include:, a, and mx mechanism counts as a lookup. Many third-party SPF records themselves trigger additional lookups internally. If your record exceeds 10 total lookups, SPF evaluation returns a PermError, which is treated as a failure. To stay under the limit, use direct IP addresses where possible and avoid chains of nested includes.
SPF Works Best With DKIM and DMARC
SPF alone protects the envelope sender (Return-Path), not the visible From address. For complete spoofing protection, you also need DKIM to sign your messages and DMARC to align authentication results with the From header. Together, these three standards form the email authentication baseline expected by Gmail, Outlook, and Yahoo Mail.
After setting up SPF, make sure your lists are clean too. Email verification removes invalid and risky addresses before you send, which keeps bounce rates low and protects the sender reputation you build with proper authentication. You can also verify addresses in bulk via bulk email verification or integrate verification directly into your stack via the email validation API.
Frequently Asked Questions
1. What does SPF stand for and why does it matter?
SPF stands for Sender Policy Framework. It is a DNS-based email authentication method that lets domain owners specify which mail servers are allowed to send email on their behalf. Without SPF, any server can claim to send mail from your domain, making phishing trivially easy. ISPs and spam filters use SPF results as a primary trust signal when deciding whether to deliver your email.
2. How do I publish an SPF record?
Generate your SPF record using this tool, then log into your DNS provider and add a TXT record on your domain root (often represented as @ or your bare domain) with the generated value. Changes typically propagate within 30 minutes but can take up to 48 hours globally.
3. What is the difference between ~all and -all?
~all (softfail) tells receiving servers that emails from unlisted IPs are suspicious but should still be accepted. -all (hardfail) instructs servers to reject or heavily penalize unlisted senders. Use ~all when setting up SPF for the first time, then switch to -all once you are confident all your sending services are listed.
4. Can I have multiple SPF records on one domain?
No. A domain must have exactly one SPF record. If two TXT records beginning with v=spf1 exist on the same domain, SPF evaluation results in a permanent error, causing all mail to fail the SPF check. Combine all your mechanisms into a single record.
5. How many DNS lookups does an SPF record allow?
SPF limits the total number of DNS-querying mechanisms (include, a, mx, ptr, exists) to 10 per evaluation. Exceeding this limit results in a permerror. Count your includes carefully — many providers chain multiple nested includes that each count toward your limit.
6. Does SPF alone prevent email spoofing?
SPF only authenticates the envelope-from (MAIL FROM) address, not the visible From header shown to recipients. Attackers can still spoof the From header even if SPF passes. To fully prevent domain spoofing visible in the inbox, you need DMARC policy aligned with both SPF and DKIM.
探索更多功能
探索 BillionVerify 的所有強大功能
Verify and clean your email list
Good authentication records protect your domain. BillionVerify keeps your list healthy with 99.9% accurate email verification.
100 free verifications daily · 99.9% SMTP accuracy · Instant API access · No credit card required