Free Tool

SPF Record Generator

Build a valid SPF record for your domain in under a minute. Select your email providers, set your policy, and get a copy-paste TXT record — no account, no data collection.

Domain

Providers

Options

Your Record

Enter your domain

The domain you send email from. Don't include "www" or "https".

New to SPF? An SPF record tells email providers which servers are allowed to send from your domain — it's a key step in preventing spoofing and staying out of spam.

What is an SPF record?

SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. When an email arrives, the recipient's server checks your SPF record to verify the sender is legitimate.

Without SPF, anyone can send email claiming to be from your domain. With SPF configured correctly, you reduce spoofing, improve deliverability, and signal to inbox providers that your domain is properly maintained — one of the foundational authentication steps alongside DKIM and DMARC.

How SPF works

An SPF record is a TXT record in your domain's DNS. It lists the mail servers and third-party services permitted to send on your behalf. When a receiving server gets an email from your domain, it:

1Extracts the sending domain from the email's Return-Path (envelope sender)

2Looks up the SPF TXT record for that domain

3Checks whether the sending server's IP matches any authorized mechanism

4Applies the result (pass, softfail, hardfail, neutral) according to your ~all or -all policy

~all vs -all: which policy should you use?

~all

Softfail

Recommended

Unauthorized mail is accepted but flagged. Start here if you're not sure all your sending sources are in the record — it won't break legitimate mail while you tune the record.

-all

Hardfail

Advanced

Unauthorized mail is rejected. Use this only once you're confident every authorized sender is listed. A missing provider means their mail bounces.

?all

Neutral

Not recommended

No enforcement. Effectively the same as having no SPF record. Don't use this in production — it provides zero protection against spoofing.

The SPF 10-lookup limit

SPF has a hard limit of 10 DNS lookups per evaluation (defined in RFC 7208). Every include:, a, and mx mechanism counts as one lookup. If your record exceeds 10, some receivers will return a PermError and treat the check as failed — harming deliverability.

If you're using many third-party senders, consider an SPF flattening service that pre-resolves include: chains into direct IP ranges, keeping your lookup count at 1.

Why SPF matters for cold email

Prevents domain spoofing

SPF stops bad actors from sending phishing or spam using your domain name, protecting your brand and your contacts.

Required for inbox placement

Gmail, Outlook, and Yahoo require SPF (alongside DKIM) as a baseline. Missing or misconfigured SPF is one of the fastest routes to the spam folder.

Foundation for DMARC

DMARC relies on SPF and DKIM alignment to make enforcement decisions. Without a valid SPF record, your DMARC policy can't function correctly.

Protects sender reputation

Spoofed mail from your domain generates spam complaints that damage your sending reputation — even if you didn't send it. SPF closes that door.

Frequently asked questions

Can I have more than one SPF record?

No. You can only have one SPF record per domain. Multiple TXT records starting with "v=spf1" will cause a PermError. If you need to authorize multiple providers, combine them all into a single record using multiple include: mechanisms.

How long does it take for SPF changes to take effect?

DNS changes typically propagate within minutes to a few hours, though the official TTL on your record can extend this up to 48 hours. Most modern DNS resolvers pick up changes faster than the TTL suggests.

What's the difference between SPF, DKIM, and DMARC?

SPF authorizes which servers can send for your domain. DKIM cryptographically signs outgoing messages so receivers can verify they weren't tampered with. DMARC ties both together and tells receivers what to do when checks fail (none, quarantine, or reject). All three are needed for full authentication.

Do I need SPF if I only send through Google Workspace?

Yes. Google Workspace adds its own SPF record for @gmail.com addresses, but for custom domains (you@yourdomain.com) you need your own SPF record that includes Google's sending servers.

What does PermError mean?

PermError (permanent error) means the SPF record couldn't be evaluated — usually because it exceeds the 10-lookup limit or has invalid syntax. It's treated as a failed check by most receivers, so it's important to fix promptly.

How do I test my SPF record after publishing?

Use a tool like MXToolbox, Google's Admin Toolbox, or send a test email to mail-tester.com. These will parse your published record and flag any syntax errors or lookup limit violations.

Complete your email authentication

SPF is the first step. Add DKIM signing through your ESP, then configure a DMARC policy to complete the trifecta — and warm your domain before scaling outbound.

Email Warming →Email Signature Builder →Deliverability Guide 2026 →