Skip to main content
Free tool · Record generators

SPF Record Generator

Pick the services that send your mail and copy a correct SPF record — provider includes, your own IPs, and the enforcement qualifier set for you, with a live count against the 10-lookup limit.

Sending providers

Your SPF record

v=spf1 include:_spf.google.com -all

DNS lookups: 1 / 10

Publish this as a single TXT record at your root domain (yourdomain.com). A domain may have only one SPF record.

What goes into an SPF record

Tick the providers that send your mail and the generator adds the right include: for each — Google Workspace, Microsoft 365, SendGrid, Mailgun, and more. Add any static sending IPs, optionally authorize your own mx servers, and pick the enforcement qualifier. The result is a single, valid record ready to publish.

Watch the lookup budget

The most common way SPF silently breaks is exceeding the 10-DNS-lookup limit, so the generator counts your lookups live and warns you before you go over. After publishing, validate the record with the SPF checker, and remember SPF is only one leg of the stool, so pair it with DKIM and an enforcing DMARC policy to actually stop spoofing.

Worked SPF record examples for common setups

Copy the example that matches your senders, then swap in your own domain and any extra services. Each string below uses the real, provider-published include value, so they publish and pass as written.

  • Google Workspace only: v=spf1 include:_spf.google.com ~all
  • Microsoft 365 only: v=spf1 include:spf.protection.outlook.com -all
  • Google Workspace plus SendGrid: v=spf1 include:_spf.google.com include:sendgrid.net ~all
  • Adding a static sending IP to Google Workspace: v=spf1 ip4:198.51.100.10 include:_spf.google.com -all

After you publish the chosen record as a TXT record at your root domain, confirm it resolves and authorizes the right senders with the SPF checker. Then extend coverage with a DMARC generator and confirm signing with the DKIM checker, since SPF alone does not stop every spoof.

Keeping your SPF record accurate as senders change

An SPF record drifts out of date the moment your mail stack changes, so treat it as living configuration rather than a set-and-forget string. Whenever you add or retire a sending service (a new marketing platform, a ticketing system, a payment processor that emails receipts), edit the record in the same change so authorized senders and published mechanisms stay in sync.

  • Prefer a provider include: (such as include:_spf.google.com or include:spf.protection.outlook.com) over hardcoding that provider's IP addresses, so their record updates flow to you automatically instead of silently going stale.
  • Reserve ip4: and ip6: for your own fixed sending hosts, like an on-prem relay or a static application server, where no provider include exists.
  • Do not add the ptr mechanism: it is slow, unreliable, and deprecated by RFC 7208, so receivers may ignore or discount it.
  • Re-check the record with the SPF checker after every edit to catch typos and confirm each sender still resolves.

Frequently asked questions

How do I create an SPF record?

List every service that sends email for your domain — your mail platform, marketing tools, and transactional senders — then publish a single TXT record at your root domain starting with v=spf1 and ending with an 'all' qualifier. This generator builds that string from common providers and your own IPs.

Why can I only have one SPF record?

The SPF specification requires exactly one v=spf1 TXT record per domain. Publishing two causes a permerror that breaks authentication for all your mail. Combine every sending source into one record using multiple include: and ip4:/ip6: mechanisms.

How do I stay under the 10-lookup limit?

Each include:, a, mx, ptr, exists, and redirect counts as a DNS lookup, capped at 10. If you exceed it, replace some includes with their published IP ranges (ip4:/ip6:), remove unused senders, or use an SPF-flattening service. The generator shows your live lookup count.

Should I end with ~all or -all?

Start with ~all (soft fail) while you confirm every legitimate sender is listed, so nothing is rejected during rollout. Once your DMARC reports show all real mail passing, switch to -all (hard fail) for the strongest protection against spoofing.

What is an example SPF record for Google Workspace?

For a domain that sends only through Google Workspace, publish this as a TXT record at your root domain: v=spf1 include:_spf.google.com ~all. The include:_spf.google.com token pulls in Google's current sending IP ranges, so you never have to list those addresses yourself. If you also send through other services, add each provider's include to the same record rather than creating a second one.

How do I include SPF for multiple providers in one record?

Chain each provider's include mechanism into the same v=spf1 record, one after another, before the closing all qualifier. For example, a domain sending through both Google Workspace and SendGrid uses v=spf1 include:_spf.google.com include:sendgrid.net ~all. Order does not affect correctness, but every sender you actually use must appear, and each provider publishes its own include value, so copy those from the provider's own documentation rather than guessing.

Why must I never use +all in an SPF record?

The +all qualifier tells receivers that any server on the internet is authorized to send mail as your domain, which turns SPF off and invites spoofing. It is the single most dangerous value you can publish, because it makes every forged message pass SPF. Always end with a restrictive qualifier that names only your real senders, never +all.

How do I safely remove an old email provider from an SPF record?

First confirm nothing still sends through that provider by checking recent mail logs and your DMARC aggregate reports for passing traffic tied to its IPs. Once you are sure it is idle, delete that provider's include or ip4/ip6 entry from the record, leaving the rest of the string intact, and republish. Removing an include that is still in use will cause that provider's mail to fail authentication, so verify before you cut.

Authenticated senders, protected brand.

Once your email is locked down, PhishEye guards the domains, sites, and apps attackers use to impersonate you elsewhere.