Testimonials Blog Case Studies About Remote Support
Client Resources
Remote Access Client Portal Pay Invoice
Free tool

SPF Record Generator

Select every service that sends email as your domain, and this builds a correct SPF TXT record - while warning you if it exceeds the 10 DNS lookup limit that breaks SPF entirely.

Generated record

What this does

SPF, in plain English.

SPF (Sender Policy Framework) is a DNS record that tells other mail servers which systems are allowed to send email claiming to be from your domain. Without it - or with a broken one - anyone can send an email that appears to come from you, and receiving servers have no way to tell the difference. Publish this as a TXT record at the root of your domain (not a subdomain, unless you're specifically configuring one).

How to add this to your DNS records

DNS records live wherever your domain's DNS is hosted - usually your domain registrar (GoDaddy, Namecheap) or Cloudflare, sometimes your website host. The steps are nearly identical everywhere:

1. Sign in to your DNS provider and open the DNS management page for your domain (often labeled "DNS," "DNS Records," or "Manage Zones").

2. Check for an existing SPF record first. Look through your TXT records for one starting with v=spf1. If one exists, edit it - do not add a second one. Two SPF records break SPF for the entire domain.

3. Add (or edit) a TXT record with these values:
  • Type: TXT
  • Name / Host: @ (this means the root of your domain; some providers want it blank or your bare domain name instead)
  • Value / Content: the record generated above, exactly as shown
  • TTL: leave the default (or 1 hour)

4. Save, then verify. DNS changes can take a few minutes to a few hours to propagate. You can verify with a free SPF lookup tool (search "SPF checker"), or from a command line: nslookup -type=txt yourdomain.com - your new record should appear in the results.

Provider notes: In Cloudflare, TXT records have no proxy setting to worry about - just add and save. In GoDaddy, use @ for the Name field. In Microsoft 365 setups where Microsoft manages your DNS, add the record in the Microsoft 365 admin center under Settings → Domains → DNS records instead.

Common mistakes

Publishing more than one SPF record. A domain can only have one SPF TXT record. If you add a second one for a new service instead of editing the existing one, SPF breaks for the whole domain - most receiving servers will treat it as invalid entirely.

Exceeding 10 DNS lookups. Every include, a, mx, and a few other mechanisms count toward a hard limit of 10 DNS lookups per SPF check. Go over that limit and the entire record can fail validation - which is exactly why this tool counts them for you.

Using +all or forgetting to set enforcement. +all tells receiving servers to accept mail from anywhere as valid - it defeats the purpose of SPF entirely. Always end with ~all or -all.

Forgetting third-party senders. Marketing platforms, CRMs, invoicing tools, and helpdesk software often send email "as" your domain. If they're not included in your SPF record, their mail may get flagged or rejected - especially once DMARC enforcement is in place.

Not updating SPF after switching providers. If you move from Google Workspace to Microsoft 365 (or add a new tool), the old include should come out and the new one should go in - stale entries don't help you, and every entry counts against the lookup limit.

Not sure if it's actually working?

We'll publish it and confirm it.

Generating the record is the easy part - getting it into DNS correctly and verified against every real sending source is where mistakes happen. We'll do it right and monitor it going forward.

See Email & Cloud Services