SPF Record Generator
Generate a valid SPF record instantly with HasheTools' free SPF Record Generator. Prevent email spoofing, improve deliverability, and protect your domain, no sign-up required.
About SPF Record Generator
Create a valid SPF TXT record instantly, protect your domain from email spoofing, and boost deliverability. No account needed.
What Is the HasheTools SPF Record Generator?
The HasheTools SPF Record Generator is a free, browser-based tool that lets you build a properly formatted Sender Policy Framework (SPF) record for your domain in seconds. Whether you are a developer, system administrator, or small business owner, our tool removes the complexity of writing DNS records by hand, eliminating syntax errors that break email authentication.
Simply enter your domain details, specify your authorized sending sources, and instantly receive a ready-to-publish SPF TXT record that you can paste directly into your DNS settings.
What Is an SPF Record?
An SPF (Sender Policy Framework) record is a DNS TXT record that defines which mail servers are allowed to send emails on behalf of your domain. When an email is received, the recipient’s server checks your SPF record to verify whether the sending server is authorized. If it matches, the email passes authentication; otherwise, it may be flagged as spam or rejected.
Understanding the SPF Record Format
Every valid SPF record follows a defined structure. Here is a typical example:
| v=spf1 ip4:192.168.1.1 include:_spf.google.com include:sendgrid.net -all |
Each component of this record has a specific role:
| Component | Description |
| v=spf1 | Required version tag. Every SPF record must begin with this. |
| ip4:192.168.1.1 | Authorizes a specific IPv4 address to send email. |
| ip6:2001:db8::/32 | Authorizes a specific IPv6 address range. |
| include:domain.com | Delegates authorization to the SPF record of another domain (e.g., your ESP). |
| mx | Authorizes the domain's own MX (mail exchange) servers to send email. |
| a | Authorizes the domain's own A/AAAA record IP addresses. |
| -all | Hard fail: reject any email from unauthorized sources (recommended). |
| ~all | Soft fail, mark emails from unauthorized sources as suspicious. |
| ?all | Neutral, no policy applied (not recommended). |
| +all | Pass all, authorizes everyone (never use this). |
Why Does Your Domain Need an SPF Record?
Without an SPF record, anyone can send emails pretending to be from your domain. This can lead to phishing attacks, spam issues, and damage to your brand reputation.
A properly configured SPF record helps you:
- Prevent email spoofing and phishing
- Improve email deliverability (avoid spam folders)
- Build trust with providers like Gmail, Outlook, and Yahoo
- Support DMARC compliance for better email security
How to Use the HasheTools SPF Record Generator
Generating your SPF record with our tool takes less than two minutes. Follow these simple steps:
- Enter Your Domain: Type the domain name you want to protect (e.g., yourdomain.com). Do not include "www" or "https://".
- Add Authorized IP Addresses: Enter any IPv4 or IPv6 addresses of mail servers that send email on behalf of your domain.
- Include Third-Party Senders: Add the SPF include tags for email service providers you use (e.g., Google Workspace, Microsoft 365, Mailchimp, SendGrid, HubSpot, Zoho).
- Enable MX / A Record Authorization: Toggle whether your domain's existing MX or A records should also be authorized to send.
- Choose Your Failure Policy: Select -all (strict, recommended), ~all (soft fail for testing), or? all (neutral).
- Generate & Copy: Click "Generate SPF Record". Your formatted TXT record will appear. Copy it to your clipboard.
- Publish in Your DNS: Log in to your domain registrar or DNS provider and add the record as a TXT entry for your root domain (@).
- Verify with Our SPF Checker: After publishing, use the HasheTools SPF Checker to confirm your record is live and error-free.
How to Publish Your SPF Record in DNS
Once you have generated your SPF record, you need to publish it as a TXT record in your domain's DNS settings. Here is how to do it with the most popular providers:
General Steps (Works for Most Providers)
- Log in to your domain registrar or DNS hosting control panel.
- Navigate to DNS Management, Zone Editor, or Advanced DNS settings.
- Click "Add New Record" and select TXT as the record type.
- In the Host/Name field, enter @ (for the root domain) or your domain name.
- Paste the generated SPF record into the Value/Content field.
- Set the TTL (Time To Live) to 3600 (1 hour) or use the default value.
- Save the record. DNS changes typically propagate within 24–48 hours.
| DNS Provider | Host Field | Notes |
| GoDaddy | @ | Use the Advanced DNS tab |
| Cloudflare | @ | DNS > Add Record > TXT |
| Namecheap | @ | Advanced DNS > Add New Record |
| Google Domains | @ | DNS > Custom Resource Records |
| AWS Route 53 | yourdomain.com. | Trailing dot required |
| Bluehost | @ | cPanel > Zone Editor |
Common SPF Record Errors to Avoid
1. Too Many DNS Lookups (PermError)
SPF allows a maximum of 10 DNS lookups per record. Every include:, mx, a, and ptr mechanism counts as one lookup. Exceeding 10 causes a PermError and SPF failure for all emails. Solution: Consolidate by using SPF flattening or reduce the number of third-party services.
2. Multiple SPF Records for the Same Domain
Only one SPF TXT record is allowed per domain or subdomain. If you have two or more, receiving servers return a PermError. If you need to update your SPF record, replace the old one; do not create a new one alongside it.
3. Incorrect Syntax
Common syntax mistakes include misspelling include as inlcude, forgetting the v=spf1 version tag, or adding spaces where they do not belong. Our tool generates validated syntax automatically, but always double-check using an SPF checker after publishing.
4. Missing the 'all' Qualifier
Every SPF record should end with an all qualifier. Without it, results are undefined. Use -all for strict enforcement or ~all during rollout.
5. Forgetting Third-Party Senders
Many businesses forget to include email marketing platforms (Mailchimp, HubSpot), CRM tools (Salesforce), transactional email services (SendGrid, Postmark), or ticketing systems (Zendesk, Freshdesk). Missing any of them means emails from those services may fail SPF checks.
SPF, DKIM, and DMARC: The Complete Email Authentication Stack
SPF is the first layer of email authentication, but it should not be used alone. For complete protection, you should implement all three protocols:
| Protocol | What It Does | Limitation |
| SPF | Verifies that the sending server IP is authorized by the domain owner. | Does not protect the visible From address. Breaks with email forwarding. |
| DKIM | Adds a cryptographic signature to emails to verify the message content was not altered in transit. | A signature can be stripped by spammers. Requires key management. |
| DMARC | Ties SPF and DKIM together. Defines what to do when authentication fails (none, quarantine, reject). Provides forensic reporting. | Requires both SPF and DKIM to be correctly configured first. |
HasheTools also offers free DKIM Record Generator and DMARC Record Generator tools so you can set up your complete email authentication stack in one place.
Why Use HasheTools SPF Record Generator?
| Feature | What It Means for You |
| 100% Free, No Sign-Up | Generate unlimited SPF records instantly without creating an account or entering payment details. |
| Real-Time Record Preview | See your SPF record update live as you configure each setting, no need to regenerate. |
| RFC 7208 Compliant Output | Every record generated meets the current SPF standard, accepted by all major mail providers. |
| Supports All Major ESPs | Pre-built includes tags for Google Workspace, Microsoft 365, SendGrid, Mailchimp, HubSpot, Zoho, and more. |
| IPv4 & IPv6 Support | Authorize both modern and legacy IP address formats for complete coverage. |
| Beginner Friendly | Guided interface with plain-English explanations, no DNS expertise required. |
| Mobile Responsive | Works seamlessly on desktop, tablet, and mobile devices. |
| No Data Stored | Your domain and IP information are never saved or shared. Privacy first. |
SPF Record Best Practices
- One SPF record per domain: never publish two TXT records for the same domain.
- Keep DNS lookups under 10: audit your record regularly as you add email providers.
- Start with ~all and move to -all once you have verified all sending sources.
- Never use +all: this makes your SPF record useless by allowing all senders.
- Review your SPF record every time you add or remove an email service provider.
- Use the ptr mechanism sparingly: it is slow and unreliable. Prefer ip4/ip6 or include.
- Combine SPF with DKIM and DMARC for maximum protection against spoofing.
- After every change, validate your record using an SPF checker tool.
- For large enterprises with many vendors, consider SPF flattening or dynamic SPF services to stay under the 10-lookup limit.
Ready to Protect Your Domain?
Use the HasheTools SPF Record Generator above to generate your free SPF record right now. No sign-up. No limits. No cost.
More Tools
Frequently Asked Questions About SPF Record Generator
What is an SPF record generator?
An SPF record generator is a tool that automatically creates a valid Sender Policy Framework (SPF) DNS record for your domain by formatting authorized email senders into a ready-to-use TXT record.
Is the HasheTools SPF Record Generator free?
Yes. It is completely free to use with no limits, no account required, and no hidden charges.
How do I check if my domain has an SPF record?
Use the HasheTools SPF Checker by entering your domain. It will show your current SPF record and any configuration issues.
Can I have more than one SPF record for a domain?
No. A domain must have only one SPF record. Multiple records will cause SPF validation failure (PermError).
How long does it take for SPF to work?
SPF changes usually take effect within a few minutes to hours, but full DNS propagation can take up to 48 hours.
Is SPF enough to prevent email spoofing?
No. SPF should be used with DKIM and DMARC for full protection against spoofing and phishing attacks.
What is the difference between -all and ~all?
~all means soft fail (suspicious emails are allowed but marked), while -all means hard fail (unauthorized emails are rejected).
What happens if my SPF record exceeds 10 DNS lookups?
It will fail SPF validation (PermError), causing email delivery issues. You should reduce lookups or optimize your SPF record.