MailShield

SPF Record Generator

Create a valid SPF record for your domain by selecting your email providers and configuring the right mechanisms. Protect your domain from spoofing and improve email deliverability.

Common Email Providers

Each email service requires its own include: mechanism in your SPF record. Here are the values for the most popular providers.

Google Workspace

include:_spf.google.com

Microsoft 365

include:spf.protection.outlook.com

SendGrid

include:sendgrid.net

Mailchimp

include:servers.mcsv.net

Amazon SES

include:amazonses.com

Postmark

include:spf.mtasv.net

Brevo (Sendinblue)

include:sendinblue.com

Zoho

include:zoho.com

Only include the providers you actually use. Each include: counts toward the 10-lookup limit.

SPF Record Syntax

An SPF record is a DNS TXT record that specifies which mail servers are authorized to send email for your domain. Here are the mechanisms you can use.

v=spf1

Required version tag. Every SPF record must begin with this. It identifies the TXT record as an SPF record.

include:<domain>

References the SPF record of another domain. Used to authorize third-party services (e.g., include:_spf.google.com authorizes Google to send on your behalf).

ip4:<address>

Authorizes a specific IPv4 address or CIDR range to send email for your domain (e.g., ip4:203.0.113.0/24).

ip6:<address>

Authorizes a specific IPv6 address or CIDR range to send email for your domain (e.g., ip6:2001:db8::/32).

a

Authorizes the IP addresses found in your domain's A (and AAAA) records. Useful if your web server also sends email.

mx

Authorizes the IP addresses of your domain's MX (mail exchange) servers. A common mechanism since your mail servers naturally send email.

~all

Soft fail: messages from unauthorized senders are accepted but marked. Recommended when first deploying SPF, as it avoids rejecting legitimate email during the transition period.

-all

Hard fail: messages from unauthorized senders should be rejected outright. Use this once you are confident your SPF record lists every legitimate sending source.

Example SPF record

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 ~all

This record authorizes Google Workspace, SendGrid, and a specific IP address to send email, with a soft fail for all other sources.

The 10-Lookup Rule

The SPF specification (RFC 7208, Section 4.6.4) limits SPF evaluation to a maximum of 10 DNS lookups. Mechanisms that trigger lookups include include, a, mx, redirect, and exists. Note that ip4 and ip6 do not count toward this limit.

If your record exceeds 10 lookups, receiving mail servers will return a PermError result, which means your SPF record is effectively broken. This is one of the most common SPF misconfigurations, especially for organizations using multiple SaaS tools that each require their own include: mechanism.

To stay under the limit, only include services you actively use, replace include: with ip4: where possible, and consider SPF flattening for complex configurations.

Read our full guide on fixing SPF lookup limits

How to Publish Your SPF Record

Once you have built your SPF record, follow these steps to publish it in your domain's DNS and start protecting your email.

1

Identify all your sending sources

List every service and server that sends email on behalf of your domain: your mail provider, transactional email services, marketing platforms, CRM tools, and any application servers.

2

Build your SPF record

Combine the v=spf1 tag with include, ip4, ip6, a, or mx mechanisms for each sending source, and end with ~all or -all. For example: v=spf1 include:_spf.google.com include:sendgrid.net ~all

3

Add the TXT record to your DNS

Log in to your DNS provider and create a new TXT record. Set the host/name to @ (or leave it blank for the root domain) and paste your SPF record as the value. TTL of 3600 (1 hour) is a good default.

4

Verify and monitor

Use an SPF checker to confirm your record is valid and resolves correctly. Monitor DMARC aggregate reports to verify that all legitimate email passes SPF alignment. Adjust as your sending infrastructure changes.

DNS record summary

TypeHostValueTTL
TXT@v=spf1 include:... ~all3600

Validate Your Record

After publishing your SPF record, it is essential to verify that it resolves correctly, stays within the 10-lookup limit, and aligns with your DMARC policy. A misconfigured SPF record can cause legitimate email to land in spam or be rejected entirely.

Use our free SPF checker to instantly validate your record's syntax, count DNS lookups, and identify potential issues. For ongoing protection, sign up for MailShield to get continuous SPF monitoring with alerts when your record changes or breaks.

Check Your SPF RecordStart Continuous Monitoring

Secure your domain with SPF monitoring

Generate, validate, and continuously monitor your SPF records alongside DKIM, DMARC, and more. Free plan includes 2 domains with all protocol checks.

Get Started FreeView All Features