Zero Signup ToolsFree browser tools

Security Tools

SPF Record Generator

Build a valid SPF TXT record with mechanism qualifiers, includes, IP ranges, and an all stance. Parse and validate any record in your browser.

Quick presets

Tap a preset to load a common SPF starting point. Your domain is preserved.

Domain

The domain you are protecting. SPF lives at the apex (or subdomain) as a TXT record.

Host: example.com

Add a mechanism

Pick a type, enter the value, and Add. Most domains only need one or two include: lines and a final all stance.

Recursively evaluate another SPF record. Costs a DNS lookup.

Mechanisms (0)

Add at least one mechanism to authorize a sender, or pick the Parked / non-sending preset for a domain that must reject all mail.

Terminating all

Soft fail. Any sender not listed is marked suspicious but still delivered. The recommended steady-state for most domains.

Delegate evaluation to another domain's SPF record. Counts as a DNS lookup.

Domain whose TXT record provides an explanation string. Rarely used.

Generated SPF TXT record

Publish this as a TXT record at example.com. Lookups used: 0/10.

v=spf1 ~all

No senders are explicitly authorized. Senders not on the list above will SoftFail and may be marked suspicious.

DNS provider snippets

Drop into your DNS host or zone file. Replace placeholder zone IDs and resource groups.

BIND zone file

example.com.	IN	TXT	"v=spf1 ~all"

Cloudflare DNS (UI)

Type: TXT
Name: @ (or example.com)
Content: v=spf1 ~all
TTL: Auto (or 3600)

Route 53 (AWS CLI)

aws route53 change-resource-record-sets \
  --hosted-zone-id ZXXXXXXXXXXXXX \
  --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"example.com.","Type":"TXT","TTL":3600,"ResourceRecords":[{"Value":"\"v=spf1 ~all\""}]}}]}'

Google Cloud DNS / Workspace

Record type: TXT
DNS name: example.com
TTL: 3600 seconds
Value: "v=spf1 ~all"

Azure DNS (CLI)

az network dns record-set txt add-record \
  --resource-group MY-RG \
  --zone-name example.com \
  --record-set-name @ \
  --value "v=spf1 ~all"

Quick reference

v=spf1

Required first term. Receivers ignore TXT records that do not begin with v=spf1, so a record without it is invisible.

ip4 / ip6

The cheapest mechanisms. They consume zero DNS lookups. Prefer them when you control the sending IP range.

include:

Recursively evaluate another SPF record. Costs one lookup, plus all lookups inside the included record. Watch the 10-lookup ceiling.

a / mx

Match the A or MX records of the current or named domain. Each costs one lookup, and mx adds one per MX target.

-all vs ~all

-all (Fail) lets receivers reject at SMTP. ~all (SoftFail) accepts but flags. Roll out from ~all and tighten to -all once reports are clean.

10-lookup limit

RFC 7208 caps total DNS lookups at 10 across the record and every nested include. Going over returns PermError. Replace deep includes with explicit ip4 / ip6 blocks to flatten.

ptr (deprecated)

ptr triggers reverse-DNS validation and is deprecated by RFC 7208 section 5.5. Many receivers ignore it. Replace with ip4 / ip6 / include.

One record per domain

Only one v=spf1 TXT record can exist per host. Combining multiple sources means merging their includes and ip mechanisms into a single record.

How to use

  1. Pick a preset (Google Workspace, Microsoft 365, SendGrid, Mailgun, self-hosted, parked) to load a known-good starting record, or skip presets and build from scratch.
  2. Enter your domain, then add mechanisms one at a time: choose ip4 / ip6 / include / a / mx / exists / ptr, type the value (an IP, a CIDR, a domain, or blank for the current domain), and click Add. Reorder with Up / Down and remove with Remove.
  3. Set a qualifier per mechanism (+ Pass, - Fail, ~ SoftFail, ? Neutral). Most mechanisms stay at +. The qualifier matters most on the terminating all.
  4. Pick the terminating all stance: -all (strict reject), ~all (soft fail, the safe default during rollout), ?all (neutral, debugging only), +all (anti-pattern, avoid), or omit it. Optionally fill redirect= or exp=.
  5. Read the lookup counter and the issue list. Flatten includes into ip4 / ip6 ranges if you cross the 10-lookup limit. Click Copy value to grab the record, then paste it into your DNS host using the BIND, Cloudflare, Route 53, Google, or Azure snippet underneath.
  6. Switch to Parse and explain to paste any existing record (yours or someone else's) and see term-by-term validation, lookup totals, and effective behavior.

About this tool

SPF Record Generator is a two-mode tool for the Sender Policy Framework TXT record defined in RFC 7208. The Build mode lets you assemble a record from the ground up: pick mechanisms (a, mx, ip4, ip6, include, exists, ptr), set a qualifier on each (+ Pass, - Fail, ~ SoftFail, ? Neutral), reorder them, set the terminating all stance (-all, ~all, ?all, +all, or omit), and optionally add the redirect= and exp= modifiers. The Parse mode accepts any SPF record value (with or without the v=spf1 prefix, and with or without the surrounding double quotes some DNS providers display) and breaks it into the underlying terms with per-term descriptions, qualifier explanations, validation, and a record-level summary. Both modes count the DNS lookups RFC 7208 caps at 10 (a, mx, include, exists, redirect, and ptr each cost one) and warn when you cross the threshold; the parser cannot follow nested includes without making a network request, so it counts only the lookups in the local record and tells you that nested includes can add more. Quick presets cover the senders most domains actually use (Google Workspace, Microsoft 365, SendGrid, Mailgun, self-hosted with a + mx, parked / non-sending) so you can start from a working record and tune from there. Output appears as a normalized v=spf1 ... TXT record value plus copy-paste DNS provider snippets for BIND zone files, Cloudflare, Route 53 (AWS CLI), Google Cloud DNS, and Azure DNS (CLI). A plain-English summary explains the effective behavior, and the issue list flags PermError-causing problems (missing v=spf1, over the 10-lookup limit, ip4 / ip6 with bad CIDR, deprecated ptr, +all anti-pattern, redirect colliding with all, mechanisms after all). Useful for new domains setting up email authentication, devops fixing inherited records that fail SPF alignment, marketers adding a new ESP without breaking existing senders, security teams hardening parked domains so they cannot be spoofed, and anyone debugging a 'spf=permerror' or 'spf=fail' return path. Everything runs locally in your browser. The domain, IPs, and includes you type here never leave your device, and no DNS queries are issued.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Security

DMARC Record Generator

Build a DMARC TXT record from policy, alignment, percentage, and reporting fields, or paste an existing record to validate and explain it.

Open tool

Developer

Email Header Analyzer

Parse Received hops, SPF, DKIM, DMARC, and identity headers from raw email source.

Open tool

Developer

Email Validator

Validate, deduplicate, and clean lists of email addresses with typo suggestions.

Open tool

Generator

Email Signature Generator

Design an HTML email signature with photo, social links, and one-click copy for Gmail and Outlook.

Open tool

Security

SHA-256 Hash Generator

Hash text or files with SHA-1, SHA-256, SHA-384, and SHA-512.

Open tool

All toolsSecurity Tools