Skip to main content
Protect your domain reputation today
contact@simpledmarc.comSupport
SimpleDMARC

Free SPF Record Generator

Build a secure SPF record by selecting your email service providers.

Why Every Domain Needs an SPF Record

An SPF record is one of the first DNS entries you should publish when setting up email for any domain. Without it, any mail server on the internet can send email claiming to be from your domain, and receiving servers have no way to determine whether the message is legitimate. SPF provides the foundation for email authentication — it explicitly declares which IP addresses and services are allowed to send on your behalf. This is also a prerequisite for DMARC alignment, meaning your DMARC policy cannot enforce on the SPF side without a valid SPF record in place.

How to Use Our SPF Generator

Our generator guides you through building an SPF record step by step. Add the IP addresses (ip4/ip6) of your own mail servers, then add include statements for any third-party services that send email on your behalf — common examples are Google Workspace (_spf.google.com), Microsoft 365 (spf.protection.outlook.com), Mailchimp (servers.mcsv.net), SendGrid (sendgrid.net), Amazon SES (amazonses.com), and Salesforce. Select your 'all' mechanism: -all for hard fail (recommended when all senders are listed) or ~all for soft fail during initial deployment. The tool validates syntax in real time, counts DNS lookups, and warns you before you exceed the 10-lookup limit.

Best Practices for SPF Records

Keep your SPF record as lean as possible. Only include mechanisms for services that actively send email from your domain — remove entries for decommissioned platforms. Use -all (hard fail) once you are confident all legitimate senders are listed. Avoid using the +all qualifier under any circumstances, as it authorizes the entire internet to send from your domain. Test your record with our SPF Raw Checker before publishing to DNS. After publishing, verify the live record with our SPF Record Checker to confirm it resolves correctly and the DNS lookup count is within limits.

SPF and the Bigger Authentication Picture

SPF alone is not sufficient for email security. It authenticates the envelope sender (Return-Path) but does not protect the visible From header that users see. This is where DMARC comes in — it requires alignment between the domain in the From header and the domain authenticated by SPF (or DKIM). By combining a well-crafted SPF record with DKIM signing and a DMARC policy, you create a layered authentication framework that protects your domain from spoofing, improves email deliverability, and meets compliance requirements from Google, Yahoo, and regulatory bodies.

Frequently Asked Questions

What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and domains authorized to send email on your behalf.
How do I use this generator?
Select your email providers (like Google or Outlook) and add any custom IPs. The tool will generate the correct TXT record for you.
Why do I need SPF?
SPF helps prevent attackers from sending fake emails that appear to come from your domain.
Where do I publish my SPF record?
Publish the SPF record as a TXT entry in your domain's DNS zone at the root level (@ or yourdomain.com). The value starts with v=spf1 followed by your mechanisms and the all qualifier.
What include should I use for Google Workspace?
Use include:_spf.google.com to authorize Google Workspace servers. This covers Gmail sending, Google Groups, and other Google email services.
What include should I use for Microsoft 365?
Use include:spf.protection.outlook.com for Microsoft 365 (Exchange Online). For additional Microsoft services, check your Microsoft admin portal for specific SPF requirements.
Can I use both ip4 and include in the same record?
Yes. A typical SPF record combines ip4/ip6 mechanisms for your own servers with include mechanisms for third-party services. All mechanisms are evaluated in order from left to right.
What happens if I exceed 10 DNS lookups?
The SPF evaluation terminates with a permanent error (permerror). Many receiving servers treat this as a fail, potentially blocking legitimate email. Use our checker to count lookups before publishing.
Should I use -all or ~all?
Use -all (hard fail) for production domains once all legitimate senders are authorized. Use ~all (soft fail) only during initial deployment when you're still identifying all authorized senders.

More SPF Tools

SPF Record Checker

Perform a detailed lookup and validation of SPF records.

Try Tool

SPF Raw Checker

Directly validate the syntax of your raw SPF strings.

Try Tool

SimpleSPF

Hosted SPF flattening to fix 'too many lookups' errors.

Try Tool
View All Security Tools
Free SPF Record Generator | Build Valid SPF Records | SimpleDMARC