SPF Record Generator

Build SPF DNS TXT records visually with common mechanisms and copy the result to your DNS zone.

  1. Home
  2. Hash & Security
  3. SPF Record Generator

Enter your domain name to start building the SPF record. The domain is used for the v=spf1 version tag.


SPF Mechanisms

Enable the mechanisms you need. Each mechanism authorizes a specific source to send email for your domain.

Include SPF record of another domain (e.g., email service provider)

Authorize an IPv4 address or CIDR range

Authorize an IPv6 address or CIDR range

Authorize the domain's A or AAAA record (optional: specify a subdomain)

Authorize the domain's MX record (optional: specify a subdomain)

Authorize a domain's PTR record (optional)

Authorize via custom DNS lookup (advanced)

all (default result)

What to do with senders not matched by any mechanism. -all (Fail) is recommended to reject unauthorized senders.


SPF DNS TXT Record

Add this as a TXT record in your DNS zone. The record name should be your domain (e.g., @ or example.com).

What Is an SPF Record Generator?

Sender Policy Framework (SPF) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. It is published as a DNS TXT record and helps prevent email spoofing, phishing, and spam.

An SPF record contains a version tag (v=spf1) followed by one or more mechanisms that define authorized sources — IP addresses, domains, or include statements for third-party email services. Each mechanism can have a qualifier that tells receiving servers what to do if a message matches: pass (+), fail (-), softfail (~), or neutral (?). The record ends with a catch-all rule (all) that defines the default action for unmatched senders.

Common use cases include authorizing your own mail server IPs, including your email service provider's SPF record (e.g., Google Workspace, SendGrid, Mailgun), and setting a strict -all policy to reject all unauthorized senders.

How to Use This SPF Record Generator

  1. Enter your domain — Type the domain you want to protect (e.g., example.com).
  2. Enable mechanisms — Check the mechanisms you need. For most setups, include (for your email provider), ip4 (for your own mail server IP), and mx (to authorize your MX servers) are the most common.
  3. Configure qualifiers — Use the dropdown next to each mechanism to set the qualifier. Pass (+) is the default and appropriate for your own servers.
  4. Set the default policy — Choose -all (Fail) to reject all unauthorized senders. This is the recommended setting for strong email authentication.
  5. Copy the record — Click Copy and add the TXT record to your DNS zone through your domain registrar or DNS hosting provider.

Frequently Asked Questions

What SPF qualifier should I use for all?

-all (Fail) is the recommended setting. It tells receiving servers to reject email from any source not explicitly authorized. ~all (SoftFail) marks unauthorized email as suspicious but still delivers it — useful during testing. ?all (Neutral) takes no position, and +all (Pass) authorizes everything (defeats the purpose of SPF).

How do I include my email service provider?

Enable the include mechanism and enter your provider's SPF domain. For example: include:_spf.google.com for Google Workspace, include:spf.sendgrid.net for SendGrid, or include:spf.mailgun.org for Mailgun. You can add multiple include statements if you use more than one provider.

What is the difference between SPF and DKIM/DMARC?

SPF verifies the sending server's IP address is authorized. DKIM adds a cryptographic signature to verify message integrity. DMARC tells receiving servers how to handle email that fails SPF or DKIM checks. All three work together for comprehensive email authentication. Use the DKIM Record Generator and DMARC Record Generator to complete your email authentication setup.