MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

SPF Generator

SPF Record Generator

About SPF Generator

Build a syntactically correct SPF record from scratch or import an existing one for editing. Add IPv4 ranges, IPv6 ranges, include: chains for vendors (Google, Microsoft, Mailgun, SendGrid, etc.), and pick the right all-mechanism for your enforcement level. Real-time DNS lookup counter keeps you under the 10-lookup hard limit. Copy the final TXT record ready to paste into your DNS provider.

How the SPF generator works

Build, validate, copy

01

Add mechanisms

Drop in IP4/IP6 ranges (no DNS lookup), include: chains for vendors, a/mx for your own mail servers. Order them by specificity.

02

Watch the lookup counter

Each include / a / mx / ptr / exists counts against the 10-lookup limit. The counter updates live so you see exactly when you're approaching PermError.

03

Pick "all" enforcement + copy

-all = strict (production), ~all = soft fail (rollout), ?all = neutral (testing). Generated record is ready to paste as a TXT record in your DNS provider.

Common gotchas this generator avoids

Mistakes that break SPF

Forgetting v=spf1 prefix

Every SPF record must start with "v=spf1". Without it, receivers ignore the record entirely. The generator adds this automatically.

Multiple SPF records on one domain

Two SPF records on the same domain = invalid SPF, all mail fails authentication. Combine them into one v=spf1 line. The generator helps merge.

Using +all (open relay)

+all tells receivers to accept mail from any source. Spammers love it. The generator warns and defaults to -all.

Adding include: from retired vendors

Mailgun include left in for two years still eats a DNS lookup. The generator marks unused includes so you can clean up.

Mixing ip4 and IPv4 ranges incorrectly

CIDR notation matters: ip4:192.0.2.1 (single IP) vs ip4:192.0.2.0/24 (256 IPs). The generator validates CIDR ranges for you.

Putting -all before specific mechanisms

SPF is evaluated left to right. -all at the front blocks everything before specific allows can match. The generator enforces correct ordering.

FAQ

SPF generator — common questions

What is an SPF record?+
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Without SPF, receivers cannot tell whether mail claiming to be from your domain is genuine — making your domain easy to spoof.
What is the 10 DNS lookup limit?+
SPF has a hard limit of 10 DNS lookups per record (include:, a, mx, ptr, exists each count). Exceeding 10 causes PermError and ALL your SPF authentication fails. Chained includes for Google + Microsoft + Mailgun + Salesforce push you past 10. Our generator counts in real time so you can see when you're approaching the limit.
Should I use ip4/ip6, include, a, or mx mechanisms?+
Prefer ip4/ip6 (no DNS lookup, fastest, most secure). Use include: only when your vendor doesn't publish stable IPs. Use a / mx sparingly — they consume DNS lookups. Order matters: put more-restrictive mechanisms first (like ip4 ranges), broad ones (~all) last.
What is SPF flattening and when should I do it?+
SPF flattening replaces include: statements with the actual IPs they resolve to — converting "include:_spf.google.com" into the dozen IP4 addresses Google publishes. Pros: stays under the 10-lookup limit. Cons: when Google adds new IPs, your record breaks until you re-flatten. Flatten when you must exceed 10 lookups; otherwise prefer includes.
Why is -all stronger than ~all?+
-all (hard fail) tells receivers to REJECT mail from unauthorized sources. ~all (soft fail) marks mail as suspicious but still delivers it. Production domains should use -all once SPF is verified working. Start with ~all during initial rollout, then move to -all after monitoring shows no legitimate mail is being blocked.

Other generators

Build your full email auth stack

DMARC Generator
Build a DMARC policy + reporting
DKIM Generator
Generate DKIM key pairs
SPF Checker
Validate your existing SPF record
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us