SPF Record Generator

Build a correct SPF TXT record with provider presets and a live DNS lookup counter that warns you before you hit the 10 lookup wall.

This SPF record generator writes the exact v=spf1 TXT value you publish, right in your browser, so nothing you type ever leaves the page. Tick the servers that send mail as your domain, add ip4 and ip6 ranges, or click a preset for Google Workspace, Microsoft 365, OVH and the major ESPs. It sticks to RFC 7208 syntax and invents nothing. A live counter tracks your DNS lookups against the hard limit of 10, the ceiling that quietly breaks records nobody touched, and flags it before you do. You also get honest softfail versus hardfail guidance, the right host to publish at, and warnings for duplicates, bad addresses and the +all mistake.

100% in your browser. Nothing you type ever leaves this page.

SPF record generator with a live DNS lookup counter

SPF records look trivial. One line of text, a few mechanisms, done. Then the record quietly grows past ten DNS lookups and every message starts failing with a permerror, and nothing in your DNS panel warns you. This builder writes the exact v=spf1 TXT value from the mechanisms you tick, sticks to RFC 7208 syntax with nothing invented, and counts your lookups as you type so you see the wall before you hit it. Everything runs in your browser. Once it's published, paste your domain into the SPF record checker to confirm DNS serves what you wrote, nested includes and all.

Your domain (used only for the host hint)

Which servers send mail as this domain?

mx (your MX hosts send mail, costs 1 lookup) a (the domain's own A/AAAA record sends mail, costs 1 lookup)

ip4: addresses or CIDR ranges (free, no lookup)

ip6: addresses or CIDR ranges (free, no lookup)

include: domains (each costs 1 lookup, plus whatever it contains)

Separate several values with spaces or commas. Or click a provider below to toggle it.

What should receivers do with everything else? (the all mechanism)

~all (softfail)Mail from unlisted servers is marked suspicious, not refused. The right setting while you're still inventorying senders.-all (hardfail)Unlisted servers fail outright. The right end state once you're sure the list above is complete.?all (neutral)Explicitly says nothing. Receivers treat it like no opinion at all. Rarely what you want.+all (pass)Declares the entire internet authorized to send as you. Never publish this.

DNS lookups: 0 / 10RFC 7208 hard limit. include, a, mx, ptr, exists and redirect each cost one.

This counter only sees your top level. Every include pulls in its own record, and lookups inside it count against the same limit of 10. Verify the real total with the SPF record checker after publishing.

Publish at this host (TXT record name)example.com

Record typeTXT

Your SPF record value

v=spf1 ~all

One SPF record per domain, ever. If a TXT record starting with v=spf1 already exists, edit that one. Publishing a second is a permerror under RFC 7208 and receivers will treat your SPF as broken.

What an SPF record generator does

An SPF record generator writes the exact v=spf1 TXT value you publish in DNS, built from the servers you tell it send mail as your domain, so receivers can check that a message really came from a host you authorized. SPF answers one narrow question: is the server delivering this message allowed to send for the domain in the envelope sender, the return-path address bounces go to. The receiving server reads your TXT record, walks the mechanisms left to right, and stops at the first match. This builder turns that into a checklist, ip4 and ip6 fields, and provider presets, then prints the record and the host to publish it at.

The 10 lookup limit, the thing that breaks records nobody touched

RFC 7208 caps the mechanisms that trigger DNS lookups at ten per check. include, a, mx, ptr, exists and redirect cost one each, and go over and the result is permerror, which under a strict DMARC policy means your real mail starts bouncing. The nasty part is that nested includes count too. include:_spf.google.com is not one lookup, it is one plus whatever Google pulls in underneath, and that record is theirs, not yours. A domain can sit at a comfortable eight for a year, then break on a Tuesday because a marketing platform restructured its own SPF tree. The live counter is your early warning, so treat anything past seven as a budget problem.

Softfail vs hardfail, the honest version

The textbook says ~all marks failures as suspicious and -all rejects them, which is true but incomplete. In practice most large receivers feed the SPF result into DMARC and their own filtering rather than bouncing on SPF alone, so the day to day gap is smaller than the syntax suggests. Smaller, not zero. Run ~all while you are still discovering senders, because a forgotten invoicing tool under ~all lands in spam where someone notices, while under -all it just vanishes. Move to -all once the inventory is genuinely done, meaning a few weeks of clean DMARC reports. Skip ?all, and never publish +all, which declares the whole internet authorized to send as you.

Privacy and accuracy

The whole generator runs in your browser, so the domain and senders you type never leave your machine and the page works offline once it has loaded. It follows RFC 7208 syntax and invents nothing, validating ip4, ip6 and include hostnames as you go and flagging duplicates, the 255 character TXT string ceiling, and the dangerous qualifiers. One caveat: the counter only sees your top level. Every include pulls in its own record, and the lookups inside it count against the same limit of 10, so confirm the real total against live DNS with an SPF record checker after you publish.

Frequently asked questions

Where do I publish the SPF record?

As a TXT record on the domain itself, the root, often shown as @ in DNS panels. Not on _spf, not on www. Subdomains that send mail need their own SPF record on the subdomain name, since SPF does not inherit downward.

Can I have two SPF records on one domain?

No. RFC 7208 says a domain with multiple v=spf1 TXT records produces a permerror, and receivers treat that as broken SPF rather than picking one. Merge the mechanisms into a single record instead.

What happens if I go over 10 DNS lookups?

The check returns permerror. Under DMARC, permerror means SPF cannot contribute a pass, so if DKIM is not covering you, mail starts failing or bouncing. The limit exists so spammers cannot weaponize SPF resolution into a DNS amplification chain.

Should I use ~all or -all?

Use ~all while you are still building the inventory of everything that sends as your domain, then -all once a few weeks of DMARC reports show no legitimate sender failing. Going straight to -all on day one is how the invoicing robot silently stops delivering.