SPF Record Generator

About this tool

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from your domain, it looks up your SPF record and checks whether the sending IP is on the list. If it is not, the message can be marked as spam or rejected entirely.

SPF works by publishing a single TXT record at the root of your domain (the @ name). The record begins with v=spf1, lists mechanisms such as include:, ip4:, mx, or a, and ends with an all mechanism that tells receivers what to do with mail that does not match:

• -all (Fail) — Reject non-matching mail. Use this in production once you are confident your record is complete.
• ~all (SoftFail) — Accept but flag non-matching mail. Good for testing or phased rollout.
• ?all (Neutral) — No policy; treat like a missing record.
• +all (Pass) — Authorise every server in the world to send as your domain. Never use this. It completely defeats SPF.

SPF alone is not enough. A forged email can still pass SPF if the attacker controls a domain with a permissive record and uses that in the SMTP envelope. For full email authentication you need all three:

1. SPF — verifies the sending server is authorised
2. DKIM — cryptographically signs each message so the content cannot be tampered with
3. DMARC — ties SPF and DKIM together, specifies policy, and sends aggregate reports to you

DNS TXT records have a 255-character limit per string, though multiple strings can be concatenated. This tool warns you if your record exceeds 255 characters. If you have many providers, consider an SPF flattening service so you do not exceed the 10 DNS lookup limit.

All processing happens in your browser. No data is sent to any server.