Validate your SPF record, count DNS lookups, trace include chains, and generate SPF records for the email providers you use.
Select the email providers you use to build a valid SPF record.
SPF (Sender Policy Framework) is a DNS-based email authentication standard defined in RFC 7208. It lets domain owners publish a list of authorised sending mail servers as a TXT record in DNS. When a receiving mail server accepts an inbound message, it checks the sending IP against the SPF record for the domain in the From header. If the IP is not listed, the receiving server can reject or flag the message.
SPF alone does not prevent spoofing of the visible From address — that requires DMARC. But SPF is a prerequisite for DMARC alignment and a fundamental layer of email authentication alongside DKIM.
RFC 7208 limits SPF evaluation to a maximum of 10 DNS lookups. Each of the following mechanisms counts as one lookup: include, a, mx, ptr, and exists. Exceeding this limit causes a PermerError, which means SPF fails permanently for that evaluation.
This becomes a problem when using multiple email services. A typical setup might include Google Workspace, Mailchimp, and a transactional provider — and each of those includes may themselves include other records, quickly consuming all 10 lookups. Use this tool to see your exact lookup count and which includes are contributing most.
An SPF record is a space-separated list of mechanisms and modifiers. Each mechanism can be prefixed with a qualifier that determines what happens when the mechanism matches.
ip4: / ip6:Authorise specific IP addresses or CIDR ranges. No DNS lookup required.
include:Delegate to another domain's SPF record. Counts as one lookup.
aAuthorise IPs in the domain's A/AAAA records. Counts as one lookup.
mxAuthorise IPs of the domain's MX servers. Counts as one lookup.
-allHardfail — reject all senders not matched above.
~allSoftfail — accept but flag senders not matched above.
The qualifiers are + (pass, the default), - (fail), ~ (softfail), and ? (neutral). The all mechanism at the end of the record is the catch-all for senders not matched by any earlier mechanism.
The SPF Generator in the tool above lets you build a valid SPF record by selecting the email providers you use. Each preset adds the correct include directive for that provider's sending infrastructure. You can also add custom IP ranges for on-premise mail servers or other services.
Once generated, add the record to your DNS zone as a TXT record with the name @ (representing your root domain). A domain should have exactly one SPF TXT record — multiple SPF records cause a PermerError. After publishing, use the checker above to verify the record is correct and within the 10-lookup limit.
SPF is one part of a complete email authentication setup. For full protection against spoofing and phishing, also configure DKIM and DMARC: