SPF Record Generator

Build a valid SPF record for your domain. Select your email providers, add custom IPs, and choose your fail policy. Copy the record and add it to your DNS.

Quick-add email provider

Include a(server's own IP)Include mx (MX server IPs)

Add custom entry

Fail policy

Soft fail (~all)Mark as suspicious

Hard fail (-all)Reject unauthorised senders

Neutral (?all)No policy applied

Your SPF record

Add this as a TXT record on your domain's root (@)

v=spf1 ~all

Validate and monitor your SPF

Use our DMARC Checker to validate your SPF record is correctly deployed, or our SPF Flattener to optimise lookup counts. The ShieldMarc dashboard monitors SPF changes continuously.

Start monitoring free

What is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email, it checks the sender's IP against the SPF record. If the IP is not listed, the email fails SPF and may be rejected or marked as spam.

~all vs -all: Which Should You Use?

The fail policy at the end of your SPF record controls what happens when a server is not listed. ~all (soft fail) is the recommended choice for most domains. With DMARC p=reject in place, the DMARC policy is what actually blocks spoofed mail — SPF soft fail is sufficient for DMARC to evaluate correctly. Some receiving servers apply SPF -all (hard fail) rejections before evaluating DMARC, which can cause legitimate mail to be rejected if you use a sending service that does not align with your SPF. Use -all only if you are certain every legitimate sending source is listed and you understand the risks.

SPF Lookup Limit

SPF records are limited to 10 DNS lookups. Each include:, a, mx, and redirect mechanism counts as one lookup. Exceeding this limit causes a permanent error (permerror), meaning your SPF is effectively broken. If you are close to the limit, use our SPF Flattener to reduce lookups by resolving includes to IP addresses.

Frequently Asked Questions

Can I have more than one SPF record?

No. You must have exactly one SPF TXT record per domain. If you have two SPF records, receiving servers will return a permerror and SPF will fail. If you use multiple email providers, combine them into a single record using multiple include: mechanisms.

My provider is not listed — what do I do?

Use the custom IP or include fields to add your provider manually. Most providers publish their own SPF include string in their documentation (for example, include:spf.protection.outlook.comfor Microsoft 365). Check your provider's DNS setup guide to find the correct value.

Do I need SPF if I already have DMARC?

Yes. DMARC requires either SPF or DKIM to pass with alignment. SPF is typically the first layer you configure. Without SPF, only DKIM can satisfy DMARC alignment, and DKIM must be configured separately for each sending service. Use both for maximum protection.

How do I verify my SPF record is working?

After publishing, use our DMARC & SPF Checker to verify your SPF record is correctly published, the lookup count is within limits, and alignment is configured for DMARC. DNS changes can take up to 48 hours to propagate.

What about subdomains — does SPF apply?

SPF applies only to the domain listed in the Return-Path (envelope sender), not necessarily the visible From address. Subdomains that send email need their own SPF records. DMARC's sp= tag controls subdomain policy, but SPF must still be published on each sending subdomain independently.