SPF Record Builder

Q: What should my SPF record contain?

Your SPF record should start with v=spf1, followed by an include: mechanism for each email service that sends on your behalf (such as Google Workspace, Microsoft 365, or your marketing platform). Add ip4: entries for any custom mail servers, and end with -all or ~all to define how unauthorised senders should be treated.

Q: Should I use -all or ~all?

Use ~all (softfail) during initial setup and testing. This marks unauthorised senders as suspicious without outright rejecting them, giving you time to ensure all legitimate services are included. Once you are confident your SPF record is complete, switch to -all (hardfail) for stronger protection. Both qualifiers work correctly with DMARC enforcement.

Q: How do I add multiple email services to SPF?

Add an include: mechanism for each service within a single SPF TXT record. For example: v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net ~all. Remember that each include counts towards the 10-lookup limit, so monitor your total carefully.

Build a valid SPF record by adding mechanisms and choosing a policy

Domain (optional)

Used for display purposes only. The SPF record works for any domain.

SPF Mechanisms

Quick Add Common Services

No mechanisms added yet. Use the form above or quick-add buttons.

SPF Policy (All Mechanism)

Generated SPF Record

DNS Host

TXT Record Value

What is SPF?

SPF (Sender Policy Framework) tells email receivers which servers are authorized to send email for your domain.

Prevents unauthorized email sending
Improves deliverability
Required for DMARC compliance
Maximum 10 DNS lookups allowed

Want automated management?

DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.

Get Started Free

How to Build an SPF Record

A step-by-step guide to creating a correctly formatted SPF TXT record for your domain

Every SPF record follows a consistent structure. It begins with v=spf1, which identifies the record as SPF version 1. After this version tag, you list the mechanisms that define which servers are authorised to send email on behalf of your domain. The record ends with a qualifier — typically ~all (softfail) or -all (hardfail) — that tells receiving servers how to handle messages from unlisted senders.

The most common mechanism is include:, which authorises third-party email services like Google Workspace or Microsoft 365. You can also use ip4: and ip6: to authorise specific IP addresses, a to authorise your domain's A record, and mx to authorise your domain's MX servers.

Once you have built your SPF record, use the SPF Checker to validate it and confirm your DNS lookups stay within the 10-lookup limit. SPF works alongside DMARC and DKIM to provide complete email authentication for your domain.

Example Built Record


                                v=spf1
                                include:_spf.google.com
                                include:sendgrid.net
                                ip4:203.0.113.5
                                ~all

Steps to Build

Start with v=spf1

Add mechanisms for each sending service

Stay under 10 DNS lookups total

End with ~all or -all

SPF Mechanisms Explained

The building blocks that define which servers are authorised to send email for your domain

include

Authorises a third-party email service to send on your behalf. For example, include:_spf.google.com authorises Google Workspace. Each include counts as one DNS lookup.

ip4 / ip6

Authorises a specific IPv4 or IPv6 address or range. Useful for dedicated mail servers or on-premise infrastructure. These do not count towards your DNS lookup limit.

a

Authorises the IP address found in your domain's A record. Helpful when your web server also sends email directly. Counts as one DNS lookup.

mx

Authorises all servers listed in your domain's MX records. Useful when your inbound mail servers also handle outbound email. Counts as one DNS lookup.

all (Catch-All Qualifier)

The catch-all qualifier at the end of your SPF record defines how unauthorised senders are treated.

-all

Hardfail (reject)

~all

Softfail (suspicious)

?all

Neutral (no enforcement)

Common SPF Building Mistakes

Avoid these frequent errors when creating your SPF record

Exceeding 10 DNS Lookups

Every include:, a, mx, and redirect= mechanism counts towards this limit, and nested includes add up quickly.

Fix: If you exceed 10 lookups, SPF returns a permanent error (permerror) and your emails may be rejected. Use SPF flattening to resolve IP addresses and reduce your lookup count.

Using +all

+all

Dangerous

~all

Softfail

-all

Hardfail

+all authorises every server on the internet to send email as your domain, completely defeating SPF. Always use ~all or -all instead.

Forgetting Email Services

Organisations often overlook services that send email on their behalf. Marketing platforms, transactional email providers, CRM systems, helpdesk tools, and even invoicing software may all send from your domain. Fix: Audit every service before building your SPF record, or risk legitimate emails failing authentication.

Multiple SPF Records

DNS allows only one SPF TXT record per domain. If you publish two or more SPF records, receiving servers will return a permanent error and ignore both. Fix: Merge all mechanisms into a single, consolidated SPF record rather than creating a second one.

Automate this: Managing SPF across multiple domains and services can become complex quickly. DMARC Busta's Autopilot mode monitors your records, flags issues, and keeps your configuration within safe limits as your organisation grows.

Frequently Asked Questions

What should my SPF record contain?

Your SPF record should start with v=spf1, followed by an include: mechanism for each email service that sends on your behalf (such as Google Workspace, Microsoft 365, or your marketing platform). Add ip4: entries for any custom mail servers, and end with -all or ~all to define how unauthorised senders should be treated.

Should I use -all or ~all?

Use ~all (softfail) during initial setup and testing. This marks unauthorised senders as suspicious without outright rejecting them, giving you time to ensure all legitimate services are included. Once you are confident your SPF record is complete, switch to -all (hardfail) for stronger protection. Both qualifiers work correctly with DMARC enforcement.

How do I add multiple email services to SPF?

Add an include: mechanism for each service within a single SPF TXT record. For example: v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net ~all. Remember that each include counts towards the 10-lookup limit, so monitor your total carefully.

What happens if I exceed 10 DNS lookups?

When your SPF record exceeds 10 DNS lookups, the SPF evaluation fails with a permanent error (permerror). Receiving mail servers treat this as if no SPF record exists, which means your emails may be rejected or marked as spam — particularly if you have a DMARC policy in place. Use SPF flattening to convert include mechanisms into direct IP addresses and reduce your lookup count.

Related Tools

More free tools to secure your email authentication

Automate Your SPF Management

Stop manually building and maintaining SPF records. DMARC Busta monitors your domains, manages DNS lookups, and keeps your email authentication healthy across all your services.