AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
Build SPF DNS TXT records visually with common mechanisms and copy the result to your DNS zone.
Enter your domain name to start building the SPF record. The domain is used for the v=spf1 version tag.
Enable the mechanisms you need. Each mechanism authorizes a specific source to send email for your domain.
Include SPF record of another domain (e.g., email service provider)
Authorize an IPv4 address or CIDR range
Authorize an IPv6 address or CIDR range
Authorize the domain's A or AAAA record (optional: specify a subdomain)
Authorize the domain's MX record (optional: specify a subdomain)
Authorize a domain's PTR record (optional)
Authorize via custom DNS lookup (advanced)
What to do with senders not matched by any mechanism. -all (Fail) is recommended to reject unauthorized senders.
Add this as a TXT record in your DNS zone. The record name should be your domain (e.g., @ or example.com).
Sender Policy Framework (SPF) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. It is published as a DNS TXT record and helps prevent email spoofing, phishing, and spam.
An SPF record contains a version tag (v=spf1) followed by one or more mechanisms that define authorized sources — IP addresses, domains, or include statements for third-party email services. Each mechanism can have a qualifier that tells receiving servers what to do if a message matches: pass (+), fail (-), softfail (~), or neutral (?). The record ends with a catch-all rule (all) that defines the default action for unmatched senders.
Common use cases include authorizing your own mail server IPs, including your email service provider's SPF record (e.g., Google Workspace, SendGrid, Mailgun), and setting a strict -all policy to reject all unauthorized senders.
example.com).include (for your email provider), ip4 (for your own mail server IP), and mx (to authorize your MX servers) are the most common.all?-all (Fail) is the recommended setting. It tells receiving servers to reject email from any source not explicitly authorized. ~all (SoftFail) marks unauthorized email as suspicious but still delivers it — useful during testing. ?all (Neutral) takes no position, and +all (Pass) authorizes everything (defeats the purpose of SPF).
Enable the include mechanism and enter your provider's SPF domain. For example: include:_spf.google.com for Google Workspace, include:spf.sendgrid.net for SendGrid, or include:spf.mailgun.org for Mailgun. You can add multiple include statements if you use more than one provider.
SPF verifies the sending server's IP address is authorized. DKIM adds a cryptographic signature to verify message integrity. DMARC tells receiving servers how to handle email that fails SPF or DKIM checks. All three work together for comprehensive email authentication. Use the DKIM Record Generator and DMARC Record Generator to complete your email authentication setup.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026