Build a valid SPF TXT record in seconds. Authorise your senders, prevent spoofing, and protect your domain — free, instant, no account needed.
Tip: select every service that sends email for this domain — missing any will cause SPF failures.
Advanced — Custom Includes, IPs & MX (optional)
Example: customdomain.com — will be added as include:customdomain.com.
Example: 192.168.1.1 or 203.0.113.0/24 — will be added as ip4:.
Example: 2001:db8::1 — will be added as ip6:.
DNS Lookups Used0 / 10
SPF lookup limit exceeded. Your record uses more than 10 DNS lookups. Receivers will treat your SPF as permerror and reject it. Remove some includes or flatten your record.
Live SPF Preview
v=spf1 ~all
✓ SPF Record Generated
Copy the values below and add them as a TXT record in your DNS settings.
Type
TXT
Host / Name
@
Value
✓ Copied to clipboard!
How to Add This Record to Your DNS
Log in to your domain registrar or DNS provider (e.g. Cloudflare, GoDaddy, Namecheap).
Go to the DNS Management or DNS Records section for your domain.
Click Add Record and select type TXT.
Set Host / Name to @ — meaning the root of your domain. Some providers leave this blank or accept your bare domain.
Paste the generated Value above into the TXT value field.
Save the record. DNS propagation typically takes 15 minutes to 48 hours.
Important: only one SPF record is allowed per domain. If you already have one, merge the includes — do not add a second TXT record.
✦ Free Email Warmup Tool
Get Your Cold Emails Into the Inbox with Warmbase
SPF is the foundation — but authentication alone won’t save you from the spam folder. Warm up your inboxes, build sender reputation automatically, and reach the primary inbox with every send.
SPF — short for Sender Policy Framework — is an email authentication standard that lets domain owners declare which mail servers are authorised to send email on their behalf. It is published as a DNS TXT record at the root of your domain and consulted by receiving mail servers every time a message arrives.
When a server receives an email claiming to come from you@example.com, it looks up the SPF record at example.com and checks whether the connecting IP is listed. If the IP is authorised, SPF passes. If not, SPF fails — and the receiver decides how to treat the message based on your SPF qualifier (~all, -all, or ?all).
SPF is one of the three core email authentication standards alongside DKIM and DMARC. Without SPF, anyone in the world can connect to a mail server and impersonate your domain. With SPF, only the IP addresses and services you explicitly authorise are trusted.
How SPF Works
SPF authentication happens during the SMTP envelope handshake, before the email body is even transferred. Here is the full lifecycle:
A sender connects to a receiving mail server and presents an envelope-from address (the MAIL FROM command).
The receiver extracts the domain from the envelope-from — typically the Return-Path domain.
A DNS lookup is performed on the TXT record at the root of that domain (e.g. example.com).
The SPF record is parsed — every include:, ip4:, ip6:, a, and mx mechanism is evaluated.
The connecting IP is compared to the list of authorised IPs produced by parsing the record.
A result is returned: pass, softfail, fail, neutral, none, temperror, or permerror.
The receiver decides what to do with the message based on that result and its own filtering policy.
Crucially, SPF authenticates the envelope-from domain — not the visible From: header users see. That is why SPF on its own does not stop display-name spoofing. DMARC closes that gap by tying SPF authentication results to the visible From: domain.
How to Use Our Free SPF Generator
Generating a valid SPF record takes under two minutes — no technical background needed.
Enter your domain — type your root domain (e.g. example.com) without any prefix like “www” or “mail”.
Select your ESPs — tick every service that sends email for this domain. Missing any will cause SPF failures and bounces.
Choose an enforcement mode — start with ~all (SoftFail) if this is your first SPF rollout, or use -all (HardFail) once you are confident.
Add custom includes (optional) — for any third-party sender not in the preset list (e.g. a CRM, a helpdesk tool, an automation platform).
Add IP addresses (optional) — for self-hosted SMTP servers, on-prem mail systems, or dedicated IPs.
Watch the live preview — your SPF record builds in real time as you fill in fields.
Check the DNS lookup counter — make sure you stay under 10 lookups (this is a hard SPF limit).
Click Generate — copy the record and paste it as a TXT record at the root of your domain.
SPF Syntax Explained
Every SPF record follows a simple grammar: a version tag, a list of mechanisms (in evaluation order), and a trailing all qualifier.
Tag
Type
Description
Example
v
Required
SPF version. Always spf1.
v=spf1
include:
Mechanism
Include another SPF record (1 DNS lookup each).
include:_spf.google.com
ip4:
Mechanism
Authorise an IPv4 address or CIDR range (0 lookups).
ip4:192.0.2.1
ip6:
Mechanism
Authorise an IPv6 address or range (0 lookups).
ip6:2001:db8::1
a
Mechanism
Authorise the domain’s own A record IP (1 lookup).
a
mx
Mechanism
Authorise hosts in the domain’s MX records (1 lookup).
mx
~all
Qualifier
SoftFail — mark unauthorised mail but still deliver.
~all
-all
Qualifier
HardFail — reject unauthorised mail.
-all
?all
Qualifier
Neutral — no policy expressed.
?all
The SPF Include Mechanism Explained
The include: mechanism is the most common SPF directive — it lets you delegate authorisation to another domain’s SPF record. Instead of listing dozens of Google, Microsoft, or SendGrid IPs by hand (and updating them whenever they change), you simply include the provider’s own SPF record.
For example, include:_spf.google.com means: “whatever IPs Google currently lists as authorised for Google Workspace, treat those IPs as authorised for me too.”
This is powerful — but it has a cost. Every include: mechanism consumes one of your 10 allowed DNS lookups. Worse, the included record itself may contain further includes, each of which counts against your budget. A single innocent-looking include:_spf.google.com can trigger 3–4 additional lookups behind the scenes.
Best Practices for Include Mechanisms
Always use the provider’s recommended include — not the bare domain. include:_spf.google.com, not include:google.com.
Audit unused includes — remove any service no longer sending email for your domain.
Prefer ip4: for fixed IPs — ip4: mechanisms consume zero DNS lookups.
Watch nested includes — even a single include: can cascade into multiple internal lookups.
SPF SoftFail (~all) vs HardFail (-all)
The trailing qualifier — what appears at the very end of every SPF record — tells receivers exactly how strictly to treat mail from unauthorised IPs.
⚠️
~all — SoftFail
Receivers will accept the message but flag it as suspicious. Most ISPs route SoftFail messages to spam or apply downgrades but do not reject outright.
Best for: initial SPF rollout, debugging, ensuring no legitimate mail is lost while you verify your configuration.
🚫
-all — HardFail
Receivers should reject messages from unauthorised IPs at the SMTP level — the email never reaches the inbox or spam folder.
Best for: production-grade domains with fully audited senders, strict anti-spoofing requirements, and a DMARC policy in enforcement.
❓
?all — Neutral
Tells receivers the domain owner expresses no opinion. SPF lookups still succeed, but no enforcement action is requested.
Best for: testing only. Not recommended for production — it provides no anti-spoofing protection.
Recommendation: start with ~all for the first 2–4 weeks, monitor your DMARC reports for unauthorised senders, then tighten to -all once every legitimate source is in your SPF record.
SPF Record Examples
1. Minimal SPF — Google Workspace only
The simplest possible valid SPF record. Authorises Google Workspace to send mail from your domain and soft-fails everything else.
v=spf1 include:_spf.google.com ~all
2. Multi-Provider SPF — Google + SendGrid + Mailgun
A typical SaaS setup: Google Workspace for human email, SendGrid for transactional, Mailgun for bulk.
Google Workspace (formerly G Suite) is the most common business email provider. Its SPF setup is simple — but there are pitfalls worth knowing.
The Canonical Google SPF Include
v=spf1 include:_spf.google.com ~all
Do not use include:google.com — that is not a valid SPF include and will cause failures.
The Google include itself triggers ~3 additional DNS lookups — they are nested. Plan your remaining lookup budget accordingly.
Combine with DKIM — enable DKIM signing in Google Admin so DMARC has a second authentication anchor.
Skip the mx mechanism — Google does not deliver outbound mail through the MX hosts, so mx only wastes a lookup.
Move to -all only after DMARC monitoring — confirm via DMARC aggregate reports that all legitimate Google mail passes SPF before tightening.
SPF for Cold Email Outreach
If you run outbound campaigns, lead generation, or any cold email programme, your SPF setup directly determines whether your emails reach the inbox or the spam folder.
Use dedicated sending domains — never cold email from your primary business domain. Use an alternative domain like outreach.yourcompany.com or a separate purchase.
Keep SPF simple per sending domain — usually just one include (Google Workspace, Microsoft 365, or your sending tool) plus ~all.
Use ~all not -all on cold sending domains — strict enforcement causes silent bounces if any IP is missed during ESP migrations.
Pair SPF with DKIM on every inbox — sequencing tools rotate across many inboxes, and DMARC needs DKIM to align when SPF can’t.
Warm up before launching — even perfect authentication can’t save a cold inbox without sender reputation. Use Warmbase to automate inbox warming before adding any inbox to a live campaign.
Monitor your DNS lookup count — cold email tools sometimes require multiple includes, pushing you toward the 10-lookup limit fast.
The SPF 10 DNS Lookup Limit Explained
RFC 7208 strictly limits SPF evaluation to 10 DNS lookups per record. Exceed that number and receiving servers return permerror — which causes your SPF to fail entirely and (under DMARC enforcement) your mail to be rejected.
What Counts as a Lookup?
1 lookup: each include: mechanism
1 lookup: a mechanism
1 lookup: mx mechanism (plus one per returned MX host)
1 lookup: exists: mechanism
1 lookup: redirect= modifier
0 lookups: ip4:, ip6:, all — they are evaluated directly
Nested Lookups Stack
The trickiest part: lookups inside included records also count. include:_spf.google.com triggers 1 lookup at your level — but Google’s SPF record contains 3 more includes internally, each costing a lookup of its own. Just one Google include can therefore consume 4 of your 10 lookups.
How to Stay Under the Limit
Remove unused includes — audit which services actually still send for your domain.
Replace include: with ip4: where IPs are static — adds zero lookups.
Use SPF flattening tools — services that resolve all nested includes into a flat list of IPs (with the trade-off that the flattened record must be re-flattened whenever an upstream provider changes IPs).
Watch our live counter above — it warns you as soon as your record approaches 10 lookups.
Common SPF Mistakes to Avoid
Having multiple SPF records — only ONE SPF TXT record is allowed per domain. Two records causes SPF to fail entirely. Always merge.
Exceeding 10 DNS lookups — triggers permerror. Use ip4: for static IPs and flatten heavy includes.
Forgetting a sender — every service that sends email from your domain MUST be in the SPF record. Missing one causes silent SPF failures.
Using -all too early — strict enforcement before verifying every sender causes legitimate mail to bounce.
Using +all — this authorises every IP on the internet to send mail from your domain. It is effectively the same as having no SPF at all and is a major security risk.
Wrong include for the provider — for example using include:google.com instead of include:_spf.google.com.
Adding mx when you don’t need it — costs a lookup and adds nothing if your MX hosts are not also outbound senders.
SPF without DKIM — SPF alone breaks when emails are forwarded. DKIM survives forwarding; DMARC needs at least one to pass.
Storing SPF as the wrong DNS record type — modern SPF must be a TXT record. The old SPF record type is deprecated and ignored.
SPF vs DKIM vs DMARC — What’s the Difference?
📋
SPF
A whitelist of IP addresses and mail servers allowed to send email for your domain. Validated during the SMTP handshake using the Return-Path header.
Weakness: SPF breaks when email is forwarded, and it does not protect the visible “From” address.
A cryptographic signature added to email headers. The public key is published in DNS; receiving servers use it to verify the signature and confirm the message was not modified in transit.
Strength: Survives forwarding. Does not require IP-based authorisation.
Ties SPF and DKIM together, requiring at least one to align with the visible “From” domain. Adds enforcement policy and detailed reporting so you know exactly who is sending email using your domain.
The missing layer: Without DMARC, SPF and DKIM alone cannot prevent “From” address spoofing.
In short: SPF authorises servers, DKIM authorises content, and DMARC ties them to the visible sender identity. All three are needed for full email authentication.
Troubleshooting SPF Issues
SPF record returns permerror
Almost always means you exceeded the 10 DNS lookup limit, or you have two SPF records on the same domain. Audit your record using MXToolbox SPF Lookup and consolidate to a single record under 10 lookups.
Legitimate mail failing SPF
Identify the sending IP from your DMARC aggregate reports or directly from the bounce message, then add the corresponding service to your SPF record. Switch to ~all temporarily while you investigate to prevent further losses.
SPF passes but DMARC fails
This is an alignment issue. SPF authenticates the envelope-from (Return-Path), which can differ from the visible From: domain. Either configure the sending service to align Return-Path with your domain, or rely on DKIM alignment instead by enabling DKIM at the sender.
SPF works for some recipients but not others
Most likely email forwarding is happening (e.g. mailing lists, vanity-domain forwarders, or .edu aliases). Forwarding breaks SPF because the connecting IP changes. Solution: ensure DKIM is enabled so DMARC can still pass via DKIM alignment.
SPF record not visible after publishing
DNS propagation takes between 15 minutes and 48 hours. Verify with dig example.com TXT or MXToolbox. If after 48 hours the record is still missing, recheck that you saved it as TXT at the root (@), not the deprecated SPF type.
Cold emails still landing in spam despite valid SPF
SPF authenticates senders — it does not guarantee inbox placement. Spam folder placement depends on sender reputation, content, and inbox warm-up. Use Warmbase to build reputation alongside your authentication setup.
Frequently Asked Questions
SPF (Sender Policy Framework) is an email authentication record that tells receiving servers which IPs are authorised to send email for your domain. Without SPF, anyone in the world can connect to a mail server and impersonate your domain — putting your brand and customers at risk.
Yes — completely free, forever. No signup, no credit card, no usage limits. Generate SPF records for as many domains as you need.
Ten. SPF evaluation is strictly limited to 10 DNS lookups per record under RFC 7208. Exceeding 10 causes receivers to return permerror and your SPF fails entirely. Our live counter above warns you as you approach the limit.
Start with ~all (SoftFail) for at least 2–4 weeks. Monitor your DMARC aggregate reports to confirm every legitimate sender is in your record. Once verified, tighten to -all (HardFail) for stronger anti-spoofing protection.
No. Only ONE SPF TXT record is allowed per domain. Multiple SPF records cause SPF to fail entirely. If you need to add a new sender, merge their include: mechanism into your existing SPF record — don’t add a second record.
Log into your DNS provider (e.g. Cloudflare, GoDaddy, Namecheap), navigate to DNS Records, and add a new TXT record. Set the host to @ (your root domain) and paste the generated value as the TXT value. DNS propagation takes between 15 minutes and 48 hours.
No. SPF only authenticates the envelope-from (Return-Path) address, not the visible From: header. To protect against display-name spoofing you need DMARC layered on top of SPF and DKIM — DMARC ties authentication back to the visible From: domain.
Receivers return permerror and treat your SPF as failed. Under DMARC enforcement, this typically means your messages are quarantined or rejected. To fix it, audit your includes and replace as many include: mechanisms as possible with direct ip4: entries — these consume zero lookups.
Yes — SPF breaks when email is forwarded because the connecting IP changes to the forwarder’s IP. This is a fundamental limitation of SPF. The fix is to also configure DKIM, which survives forwarding by signing the message body and headers cryptographically.
Yes — SPF is a baseline requirement for cold email deliverability. Major ISPs like Gmail and Outlook penalise unauthenticated mail heavily. However SPF alone won’t land you in the inbox: you also need DKIM, DMARC, and inbox warm-up. Warmbase automates inbox warming so every cold email you send benefits from a trusted sender reputation.
Ready to Reach the Inbox?
You have your SPF record — now finish the setup. Warmbase automatically warms up your sending inboxes so every cold email, outreach sequence, and transactional message lands in the inbox, not the spam folder.
