UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

SPF Record Generator

Compose an SPF TXT record from email-provider presets, custom includes, and IP allow-lists — with a live DNS lookup counter against the RFC 7208 ten-lookup limit.

About SPF Record Generator

The SPF Record Generator builds a valid v=spf1 record from a small form. Tick the email providers you use (Google Workspace, Microsoft 365, SendGrid, Mailgun, Mailchimp, Amazon SES, Zoho, Postmark) and they're appended as include: tokens; add IPv4/IPv6 to allowlist your own infrastructure; toggle the mx and a mechanisms; and pick a closing qualifier — -all (hard fail, recommended), ~all (soft fail), ?all (neutral), or +all (never). The differentiator is the live lookup counter: every include, a, mx, exists, ptr, and redirect counts toward the RFC 7208 ten-lookup ceiling, and senders exceeding it trigger a permerror at strict receivers. The counter goes green-orange-red as you approach the limit, and we warn when the record exceeds 255 bytes. Everything runs in the browser; nothing about your domain is sent. Pair the output with our SPF Record Checker after you publish.

Why use SPF Record Generator

  • Live RFC 7208 lookup counter goes green/orange/red as you approach the 10-lookup ceiling.
  • Provider presets cover the eight most common ESPs — no manual include: hostnames to remember.
  • Warns when the record exceeds 255 bytes (TXT must split into multiple quoted strings at that size).
  • Warns when +all is selected — this is functionally equivalent to no SPF and lets anyone spoof you.
  • Pure browser — your sending stack and IP list never leave the page.
  • Pairs with the SPF Record Checker for round-trip verification once published.

How to use SPF Record Generator

  1. Tick the email providers you send through — each adds an include: token to the record.
  2. Add any IPv4 or IPv6 addresses you send from directly (comma or space separated).
  3. Optionally enable the mx and a mechanisms if your domain's MX hosts and A record also send mail.
  4. Add custom includes for partners not in the preset list.
  5. Pick the closing qualifier: -all hard fail (recommended), ~all soft fail (rollout), ?all (neutral).
  6. Watch the live lookup counter — keep it below 10 — then click Copy and paste at the apex domain as a TXT record.

When to use SPF Record Generator

  • Before publishing SPF for the first time on a new sending domain.
  • When onboarding a new ESP and you need to add its include: alongside existing senders.
  • When migrating from a single ESP to a multi-ESP setup and need to confirm the new total stays under 10 lookups.
  • When tightening from ~all (soft fail) to -all (hard fail) once monitoring is clean.
  • While allowlisting transactional servers by their static IPv4/IPv6 addresses.
  • When auditing a vendor's recommended SPF text against your existing record.

Examples

Google Workspace + SendGrid (production)

Input: tick: Google Workspace, SendGrid; -all

Output: v=spf1 include:_spf.google.com include:sendgrid.net -all → 2 lookups

Self-hosted with a static IP

Input: ip4: 203.0.113.5; -all

Output: v=spf1 ip4:203.0.113.5 -all → 0 lookups

Multi-ESP at the lookup edge

Input: Google + Microsoft + Mailgun + SendGrid + Mailchimp; -all

Output: v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:mailgun.org include:sendgrid.net include:servers.mcsv.net -all → 5 nominal lookups (real chains may push past 10 once nested)

Tips

  • Stay below 8 lookups for headroom — vendors add nested includes over time.
  • Prefer ip4: and ip6: where possible; static IPs cost zero lookups.
  • Use -all (hard fail) for production once you trust the record; ~all is for the monitoring window only.
  • Keep one and only one v=spf1 record on the apex; multiple records are a permerror under RFC 7208.
  • If you exceed 10 lookups and can't drop a vendor, use an SPF flattener service that compiles the chain into static IPs.

Frequently Asked Questions

Is the record sent to any third party when I generate it?
No. The generator runs entirely in the browser. Your providers, IPs, and includes never leave the page.
How is this different from typing the record by hand?
Live lookup counting against the RFC 7208 ceiling, eight ESP presets, real-time +all guard, and a 255-byte split warning. The hand-typed approach also works if you're already an SPF expert.
How does this compare to mxtoolbox's SPF generator?
Functionally similar but free, signup-free, mobile-friendly, and the lookup counter updates as you toggle. We don't currently expand each include: into a sub-tree — that's a separate flattening tool.
What does soft fail (~all) versus hard fail (-all) mean?
Soft fail asks receivers to flag mail from non-listed senders; hard fail asks them to reject. Use ~all during rollout to avoid blocking legitimate senders, then switch to -all once monitoring is clean.
Why does +all show an error?
+all says any sender on the public internet is authorized for your domain. It defeats the entire purpose of SPF and is exploited by spammers. Use -all instead.
Can this detect a misconfigured SPF after I publish?
Run the matching SPF Record Checker tool — paste your domain and it parses the published TXT, counts lookups, and warns about multi-record permerror.
What's the 10-lookup limit and why does it matter?
RFC 7208 §4.6.4 caps the number of include, a, mx, exists, ptr, and redirect mechanisms at 10. Senders that exceed it permerror at strict receivers, who reject the mail.
Why does a long record show a 255-byte warning?
DNS TXT records are limited to 255 bytes per string but can chain multiple strings. Most DNS providers handle the split automatically; some require you to enter quoted segments manually.

Explore the category

SPF Record Checker Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers. DMARC Record Generator Build a valid DMARC TXT record with policy, percentage, alignment modes, and aggregate or forensic reporting addresses — with live validation, fully in-browser. DMARC Record Checker Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement. DKIM Record Checker Fetch a DKIM TXT record at <selector>._domainkey.<domain>, parse the public key tags, infer key length, and warn about short keys, revoked keys, or testing flags. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread.
Content Security Policy (CSP): What It Stops, What It Doesn't CSP is the most powerful XSS defense most sites either don't use or deploy wrong. Here's what it actually stops, what it doesn't, and how to May 2026 · 11 min

Glossary

SPF
Sender Policy Framework — RFC 7208 — a TXT-based mechanism that lists which IPs and hosts can send mail on behalf of a domain.
Include mechanism
Pulls another domain's SPF record into yours. Each include: counts as one lookup against the 10-lookup ceiling.
ip4 / ip6 mechanisms
Static IP allowlists. They cost zero lookups, so they're ideal for high-traffic or zero-budget setups.
Hard fail (-all)
Closes the record so receivers reject mail from any sender not explicitly listed. Recommended for production.
Soft fail (~all)
Closes the record but tells receivers to merely flag mail from non-listed senders. Used during rollout.
Permerror
A permanent SPF evaluation error — exceeding 10 lookups, having multiple v=spf1 records, or invalid syntax. Strict receivers reject mail on permerror.