ToolBelt

SPF Record Builder

Build an SPF TXT record from common include / ip4 / ip6 / mx mechanisms.

Open tool

Overview

The SPF record builder assembles a valid v=spf1 ... TXT record from the mechanisms you actually use: include: for SaaS senders, ip4: and ip6: for static addresses, mx for your own mail exchangers, and the qualifier that closes the record (-all for hard fail, ~all for soft fail). Tick the senders you authorise and the builder emits a single record under the 10-lookup and 255-byte limits.

Email administrators rolling out SPF on a new domain, deliverability teams investigating a fail verdict, and security engineers auditing the senders authorised for a brand all need an SPF builder. Long-tail keywords covered: build SPF TXT record online, SPF 10 DNS lookup limit, and combine multiple include mechanisms in SPF.

How it works

Sender Policy Framework is defined in RFC 7208. The TXT record starts with v=spf1 and lists mechanisms space-separated. Mechanisms match a sending IP against authorised sources: ip4:, ip6:, a, mx, include:domain (which recursively pulls in another domain's SPF). Each mechanism may carry a qualifier prefix: + (pass, default), - (fail), ~ (soft fail), ? (neutral). The record ends with an all mechanism — -all rejects every IP not previously matched.

Two hard limits matter. SPF evaluation cannot exceed 10 DNS lookups (each include, a, mx, exists, or redirect counts as one); exceeding it returns permerror. The TXT record itself cannot exceed 255 bytes per string, and the total of all concatenated strings should stay under about 450 bytes for safety.

Examples

  • Google Workspace only: v=spf1 include:_spf.google.com -all.
  • Google + Mailchimp: v=spf1 include:_spf.google.com include:servers.mcsv.net -all.
  • Static mail server: v=spf1 ip4:198.51.100.5 -all.
  • Parked domain (no mail): v=spf1 -all (no senders are authorised).

FAQ

Should I use -all or ~all?

-all (hard fail) is the strongest signal and the recommended default once you have verified every sender works. ~all (soft fail) is a softer rollout used during initial deployment so legitimate mail does not bounce while you debug.

Why is the 10-lookup limit a problem?

A single include: of a large SaaS provider can chain to several more lookups internally. Stack a few of them and you hit 10 quickly, after which receivers return permerror and treat the verdict as undefined. Use SPF flattening tools or specific ip4/ip6 directives to consolidate.

Does SPF check the From: address?

No. SPF authenticates the envelope sender (MAIL FROM), not the visible From: header. DMARC layers alignment on top to bind the two.

How long until SPF changes take effect?

As soon as DNS propagates. Receivers typically cache TXT records for 5 minutes to a few hours depending on TTL.

Try SPF Record Builder

An unhandled error has occurred. Reload ×