SPF Record Generator

Built for operators & agencies
Live DNS - no cached APIs
No login required
No data retention
Privacy first diagnostics
Prevents blacklisting - not causes it

Build a valid SPF TXT record for your domain.

Reality: “SPF looks fine” is not the same as SPF passes + aligns.

After publishing the record, validate SPF + DKIM + DMARC together on /check. If you see permerror, too many lookups, or DMARC failing, FixKit gives the copy/paste recovery path.

search Validate on /check

Tip: If your emails are landing in spam or disappearing, run /check - SPF alone is not enough.

What the SPF Generator does

SPF (Sender Policy Framework) tells receiving servers which mail systems are allowed to send email for your domain. If SPF is missing or wrong, you get softfails, permerrors, random spam placement, and sometimes DMARC failures because alignment breaks.

This SPF generator helps you build a clean v=spf1 record without the usual mistakes like duplicate records, unsafe includes, and exceeding the DNS lookup limit.

If you are here because emails are failing:

  1. Run the full domain check to verify SPF, DKIM and DMARC together.
  2. Fix SPF/DKIM/DMARC alignment issues.
  3. Use FixKit for copy/paste recovery steps + a client-shareable PDF.
  4. Enable Monitoring so this doesn’t happen again.
warning Run Full Domain Check cards_stack See Plans

When you should use this

  • You are setting up a new sender like Amazon SES, Mailgun, Brevo, SendGrid, Google Workspace, or Microsoft 365.
  • Your emails land in spam and the header shows spf=fail, softfail, or permerror.
  • You changed providers and now have multiple includes and you are not sure what is still needed.
  • You see “Too many DNS lookups” or you suspect you are close to SPF’s 10-lookup limit.

How to use it

  1. Enter your domain (the one in your From address).
  2. Select the providers you send with (only what you actually use).
  3. Generate the SPF record and copy it.
  4. Publish it in DNS as a TXT record on the root:
    • Name/Host: @ (or blank depending on DNS provider)
    • Type: TXT
    • Value: the generated v=spf1 ... line
  5. Wait for DNS propagation (often minutes, sometimes hours) and verify with InboxGreen checker.

Common mistakes

  • Multiple SPF records: you must have only one TXT record that starts with v=spf1. Merge them.
  • Using +all: that basically tells the world “anyone can send for me”. Don’t.
  • Too many DNS lookups: too many includes can cause permerror.
  • Forgetting subdomains: news.domain.com and domain.com can need separate SPF depending on how you send.
  • Wrong domain in the From address: SPF checks the envelope sender (Return-Path) domain, which can differ from From.

FAQ

How many SPF records can I have?

One. If you have more than one v=spf1 TXT record, SPF can break or behave unpredictably. Merge them into a single record.

Should I use ~all or -all?

Start with ~all if you are not 100% sure you listed every sender. Move to -all when you have verified everything and want strict enforcement.

Why does SPF pass but DMARC still fails?

DMARC needs alignment. SPF can pass for a different domain (like a bounce domain) and DMARC still fails. If that’s happening, check alignment using InboxGreen checker and your message headers.

What does “SPF permerror too many DNS lookups” mean?

SPF evaluation involves DNS lookups and there is a limit. Too many includes, redirects, and nested records can exceed it. The fix is reducing includes or flattening, but do it carefully so you do not break legitimate senders.

What to do next

After publishing your record, run a full scan with InboxGreen checker. If you are also setting DMARC, use the DMARC generator to generate a safe starting policy.

Recommended next step

warning Run Full Domain Check plagiarism Run Full Domain Check multimodal_hand_eye Analyze DMARC tab_recent Check DKIM