Free tool
SPF Record Generator
Pick the services that send your mail and copy a correct SPF record — provider includes, your own IPs, and the enforcement qualifier set for you, with a live count against the 10-lookup limit.
Your SPF record
v=spf1 include:_spf.google.com -all
DNS lookups: 1 / 10
Publish this as a single TXT record at your root domain (yourdomain.com). A domain may have only one SPF record.
What goes into an SPF record
Tick the providers that send your mail and the generator adds the right include: for each — Google Workspace, Microsoft 365, SendGrid, Mailgun, and more. Add any static sending IPs, optionally authorize your own mx servers, and pick the enforcement qualifier. The result is a single, valid record ready to publish.
Watch the lookup budget
The most common way SPF silently breaks is exceeding the 10-DNS-lookup limit, so the generator counts your lookups live and warns you before you go over. After publishing, validate the record with the SPF checker, and remember SPF is only one leg of the stool, so pair it with DKIM and an enforcing DMARC policy to actually stop spoofing.
Frequently asked questions
How do I create an SPF record?
List every service that sends email for your domain — your mail platform, marketing tools, and transactional senders — then publish a single TXT record at your root domain starting with v=spf1 and ending with an 'all' qualifier. This generator builds that string from common providers and your own IPs.
Why can I only have one SPF record?
The SPF specification requires exactly one v=spf1 TXT record per domain. Publishing two causes a permerror that breaks authentication for all your mail. Combine every sending source into one record using multiple include: and ip4:/ip6: mechanisms.
How do I stay under the 10-lookup limit?
Each include:, a, mx, ptr, exists, and redirect counts as a DNS lookup, capped at 10. If you exceed it, replace some includes with their published IP ranges (ip4:/ip6:), remove unused senders, or use an SPF-flattening service. The generator shows your live lookup count.
Should I end with ~all or -all?
Start with ~all (soft fail) while you confirm every legitimate sender is listed, so nothing is rejected during rollout. Once your DMARC reports show all real mail passing, switch to -all (hard fail) for the strongest protection against spoofing.
Related free tools
Record generators
DMARC Record Generator
Answer a few questions and copy a valid DMARC TXT record — policy, alignment, and reporting addresses included.
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
Breach & exposure
Data Breach Checker
Enter a company domain to see if it's appeared in known data breaches and dark-web leaks — which breaches, when, and exactly what data was exposed.
Authenticated senders, protected brand.
Once your email is locked down, PhishEye guards the domains, sites, and apps attackers use to impersonate you elsewhere.