What's the difference between ~all and -all in SPF?

~all (softfail) indicates that unauthorized emails should be marked as suspicious but accepted. -all (fail) indicates they should be rejected. Start with ~all to identify issues, then switch to -all once your configuration is validated.

Can I have multiple SPF records on my domain?

No, a domain must have only one SPF record. Having multiple SPF records causes a permerror. If you have multiple providers, combine them into a single record using multiple includes.

How do I configure SPF for Microsoft 365 / Office 365?

Add include:spf.protection.outlook.com to your SPF. Our generator adds it automatically when you select Microsoft 365. This include counts for approximately 2 DNS lookups.

How do I fix 'too many DNS lookups' in SPF?

If you exceed 10 lookups: 1) Remove unused includes, 2) Replace some includes with their IP addresses directly (ip4/ip6), 3) Use an SPF flattening service that resolves includes to IPs. Our generator displays the counter to help prevent this issue.

Free SPF Record Generator - Build Valid SPF Records in Seconds

What is an SPF record?

SPF (Sender Policy Framework) is an email authentication mechanism defined in RFC 7208. It allows a domain to declare which servers are authorized to send emails on its behalf.

Why configure SPF:

Protect your domain — Prevents email spoofing
Improve deliverability — Legitimate emails are better accepted by recipients
DMARC prerequisite — SPF is one of the two pillars of DMARC authentication (along with DKIM)
Industry standard — All major providers (Gmail, Outlook, Yahoo) check SPF

SPF record syntax

An SPF record is a DNS TXT record that always starts with v=spf1:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~all

SPF mechanisms

Mechanism	Description	Example	DNS Lookup
`include:`	Includes the SPF of another domain	`include:_spf.google.com`	Yes
`ip4:`	Authorizes an IPv4 address or range	`ip4:192.0.2.1` or `ip4:192.0.2.0/24`	No
`ip6:`	Authorizes an IPv6 address or range	`ip6:2001:db8::1`	No
`a`	Authorizes the IP of the domain's A record	`a` or `a:mail.example.com`	Yes
`mx`	Authorizes the domain's MX servers	`mx`	Yes
`all`	Defines the default behavior	`-all`, `~all`, `?all`	No

Policy qualifiers

Policy	Syntax	Meaning	Recommendation
Fail	`-all`	Reject unauthorized emails	Production (after testing)
Softfail	`~all`	Mark as suspicious but accept	Recommended to start
Neutral	`?all`	No policy (weak protection)	Not recommended

The 10 DNS lookup limit

RFC 7208 imposes a maximum of 10 DNS lookups during SPF record evaluation. This is a strict limit that, if exceeded, causes a permerror and validation failure.

What counts as a lookup

Mechanism	Counts as lookup?	Note
`include:`	Yes (+ nested lookups)	Google = ~4 lookups
`a`	Yes
`mx`	Yes	+ 1 per resolved MX
`redirect=`	Yes
`exists:`	Yes
`ip4:` / `ip6:`	No	Use these to save lookups
`all`	No

Lookup count example

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net mx ~all

Mechanism	Lookups
`include:_spf.google.com`	4
`include:sendgrid.net`	1
`include:servers.mcsv.net`	1
`mx`	1
Total	7 / 10

Our generator displays this counter in real time to help you stay under the limit.

Preconfigured email providers

Our generator includes 14 providers with their official SPF includes:

Provider	SPF Include	DNS Lookups
Google Workspace	`_spf.google.com`	~4
Microsoft 365	`spf.protection.outlook.com`	~2
SendGrid	`sendgrid.net`	1
Mailchimp	`servers.mcsv.net`	1
Amazon SES	`amazonses.com`	1
Brevo (Sendinblue)	`sendinblue.com`	1
Mailgun	`mailgun.org`	1
Postmark	`spf.mtasv.net`	1
HubSpot	`spf.hubspot.com`	1
Salesforce	`_spf.salesforce.com`	~2
Zendesk	`mail.zendesk.com`	1
Freshdesk	`email.freshdesk.com`	1
Zoho	`zoho.com`	1
Klaviyo	`_spf.klaviyo.com`	1

FAQ - Frequently Asked Questions

Q: How do I create an SPF record for my domain?

A: Use our generator: 1) Select your email providers, 2) Add your custom IPs if needed, 3) Choose the policy (~all recommended), 4) Copy the TXT record and add it to your DNS zone.

Q: What is the 10 DNS lookup limit in SPF?

A: RFC 7208 imposes a maximum of 10 DNS lookups. Each include, a, mx, redirect and exists counts. ip4/ip6 don't count. Exceeding this limit causes a permerror.

Q: What's the difference between ~all and -all?

A: ~all (softfail) marks unauthorized emails as suspicious. -all (fail) rejects them. Start with ~all for testing, then switch to -all in production.

Q: Can I have multiple SPF records?

A: No, a domain must have only one SPF. Multiple SPF records cause a permerror. Combine your providers into a single record.

Q: How do I configure SPF for Google Workspace?

A: Add include:_spf.google.com. Our generator does this automatically. This include counts for ~4 DNS lookups.

Q: How do I configure SPF for Microsoft 365?

A: Add include:spf.protection.outlook.com. Our generator adds it when you select Microsoft 365. Counts for ~2 lookups.

Q: How do I fix "too many DNS lookups"?

A: 1) Remove unused includes, 2) Replace some includes with direct IPs (ip4/ip6), 3) Use an SPF flattening service. Our generator displays the counter to prevent this issue.

Tool	Purpose
SPF Record Check	Verify your published SPF and its validity
SPF Syntax Check	Validate SPF syntax before publishing
DKIM Generator	Create your DKIM keys (RSA/Ed25519)
DMARC Generator	Configure DMARC to complete authentication
Mail Tester	Test your email deliverability

Useful resources

RFC 7208 - Sender Policy Framework (SPF) — Official SPF specification
RFC 7489 - DMARC — How SPF integrates with DMARC
Google Workspace - Set up SPF — Official Google guide
Microsoft 365 - Set up SPF — Official Microsoft guide

Free SPF Record Generator

Build a valid SPF record in seconds with 14 preconfigured providers

Additional IPs and includes

Additional mechanisms

14 preconfigured providers

DNS lookup counter

Configurable policy

Custom IPs

Deployment instructions