SPF Record Generator
Build a valid SPF record in seconds. Pick your senders, set the policy, copy the TXT record.
An SPF record is a single DNS TXT record that names the servers allowed to send mail for your domain. This SPF generator (also called an SPF builder, SPF creator, or SPF maker) assembles that record for you so you do not have to memorize the syntax. You choose which providers send your mail, add any extra IPs, and pick how strict the policy should be; the tool writes the v=spf1 ... string live as you go. The output is one record, because RFC 7208 §3.2 allows exactly one SPF record per domain. Publish it as a TXT record at your domain apex, then confirm it with the SPF checker.
The SPF record syntax follows a fixed shape. It opens with v=spf1, lists mechanisms that authorize senders (a, mx, ip4:, ip6:, include:), and ends with an all-qualifier that tells receivers what to do with everyone else. A typical SPF record example for a Google Workspace domain reads v=spf1 include:_spf.google.com ~all. Add a second provider and it grows to v=spf1 include:_spf.google.com include:sendgrid.net ~all. Each include: delegates authorization to that provider, so you list the provider once and they maintain the underlying IPs.
Start by checking the box for every service that sends mail for your domain. The provider presets carry each vendor's current canonical include: Google Workspace adds include:_spf.google.com, Microsoft 365 adds include:spf.protection.outlook.com, SendGrid adds include:sendgrid.net, Mailchimp adds include:servers.mcsv.net, Amazon SES adds include:amazonses.com, and Zoho Mail adds include:zoho.com. If a sender is not in the list, add its IPs in the IPv4 field (your office mail server or a fixed relay, for example). Leave mx checked if the hosts in your MX records also send outbound mail; uncheck it if they only receive. Then choose an all-qualifier: ~all (soft fail) is the safe default for most domains, -all (hard fail) is stricter once you are confident every sender is listed, and ?all (neutral) takes no position and is rarely useful.
Copy the generated record and publish it as a TXT record at your apex (@ or the bare domain), not at a subdomain. Watch the lookup count as you go: every include:, mx, a, and redirect= mechanism costs a DNS lookup, and RFC 7208 §4.6.4 caps evaluation at 10. The SendGrid include alone resolves to several lookups, so stacking three or four providers can quietly push you over the limit and trigger a permerror. After you publish, run the domain through the SPF checker. It counts your lookups and flags the problems this generator cannot see at build time.
Common questions
How do I create an SPF record?
Pick the providers that send your mail, add any sending IPs, and choose an all-qualifier; the generator writes the v=spf1 ... string for you. Publish that string as a single TXT record at your domain apex. To set up SPF for one provider, the record is often as short as v=spf1 include:_spf.google.com ~all.
Can you have multiple SPF records?
No. RFC 7208 §3.2 requires exactly one SPF record per domain. Two or more v=spf1 TXT records produce a permerror and receivers ignore SPF entirely. Merge every authorized sender into one record, which is exactly what this generator produces when you select multiple providers.
What does an SPF record look like?
An SPF record example with two providers and a soft-fail policy reads v=spf1 include:_spf.google.com include:sendgrid.net ~all. The mechanisms run in order (a, mx, ip4:, ip6:, then include:), and the trailing ~all, -all, or ?all sets the policy for unlisted senders.
What is the difference between ~all, -all, and ?all?
The all-qualifier is the catch-all at the end of the record. -all (hard fail) tells receivers to reject mail from unlisted senders, ~all (soft fail) marks it as suspicious but usually still delivers, and ?all (neutral) takes no position. Use ~all while you confirm every sender is covered, then move to -all for the strongest protection. Never use +all, which authorizes the entire internet to send as your domain.