SPF Record Generator

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources.

SPF records are evaluated left to right, with each mechanism checked in order. The first match determines the result. A critical constraint is the 10 DNS lookup limit: mechanisms like include, a, mx, redirect, and exists each consume one lookup. Exceeding 10 causes a permanent error (permerror), and many receivers treat the entire record as invalid.

Best practice is to end your SPF record with -all (hard fail) to explicitly reject unauthorized senders. During initial setup, ~all (soft fail) can be used while confirming all legitimate senders are covered.

SPF Mechanism Types

DNS Lookup Limits

RFC 7208 limits SPF evaluation to 10 DNS lookups (include, a, mx, redirect, exists). Exceeding this causes a permerror, which many receivers treat the same as a hard fail. Organizations with many third-party senders often run into this limit. Strategies include:

• Flattening includes into explicit ip4/ip6 ranges
• Consolidating senders to reduce include chains
• Using subdomains with separate SPF records for different services

Our SPF Supply Chain 2026 study found that 148,655 domains (4.8%) exceed the 10-lookup limit across 5.5 million scanned domains.

Read the complete SPF guide to learn more.