Free SPF Record Generator

An SPF (Sender Policy Framework) record is a DNS TXT entry that lists which servers and services are allowed to send email on behalf of your domain. Receiving mailbox providers check it on every inbound message; if the sending server isn't on the list, the message fails SPF — which usually means the spam folder or a hard rejection (depending on your DMARC policy). Without SPF, anyone can spoof your domain in From: addresses, and Gmail/Yahoo will downgrade or refuse mail from your domain at bulk-sender volumes.

As a DNS TXT record at the apex (root) of your sending domain — the host is usually entered as @ or just the domain itself (depends on your DNS provider's UI). For example, on example.com the host is @ and the value is the full v=spf1 … string. Only one SPF record per domain — if one already exists, replace it (do not add a second; receivers will return permerror).

RFC 7208 §4.6.4 limits the number of DNS lookups receivers must perform when evaluating your SPF record to 10. Every include:, a, mx, exists, and redirect= counts as one — and nested includes count too. include:_spf.google.com alone costs 4 lookups (Google's record nests three more). Cross 10 and receivers return permerror, which DMARC treats as "no SPF" — silently breaking authentication for all your mail. The lookup-budget gauge in this tool visualizes exactly how close you are.

The all mechanism at the end tells receivers what to do with mail from servers NOT on your authorized list. ~all (soft fail) accepts the mail but marks it suspicious — the recommended starting point. -all (hard fail) rejects it outright — the strongest defense once you're confident your sender list is complete. ?all (neutral) is equivalent to having no SPF policy and almost never useful. +all means "everyone can send as me" — never use it. For DMARC compliance, ~all and -all are treated identically; pick the one you're comfortable with operationally.

No. RFC 7208 §3.2 explicitly forbids multiple v=spf1 records on the same DNS name. If a receiver finds two, it returns permerror and treats your domain as having no SPF at all — same outcome as if you exceeded the 10-lookup limit. Consolidate all your sender includes into a single TXT record. The tool flags this as a hard error if it sees more than one record during the lookup.

Some ESPs — HubSpot, ActiveCampaign, ConvertKit, Beehiiv, Substack — use per-customer SPF include subdomains like 1234567.spf04.hubspotemail.net. Because the exact host string is different for every customer account, there's no single preset we can ship for them. Grab the include from your provider's dashboard (HubSpot: Settings → Domains & URLs; ActiveCampaign: Settings → Deliverability), then paste it into the "Custom includes" field. The tool will still count its DNS lookups recursively and detect it on parse if it matches a known pattern.

A single TXT string is limited to 255 characters, but a TXT record can contain multiple quoted strings that receivers concatenate. Most DNS providers (Cloudflare, Route 53, Google Workspace, GoDaddy) handle the split automatically when you paste a long string; some require you to enter each chunk in quotes separated by spaces. If you're crossing 255 characters, you're probably also approaching the 10-lookup limit — consolidating senders or removing unused ESPs is a better fix than splitting the record.

DNS propagation typically completes within an hour for most receivers; some cache for up to 24 hours depending on the TTL you set on the record. The tool re-fetches the domain via DNS-over-HTTPS every time you submit, so the "Matches DNS" / "Differs from DNS" badge always reflects current truth. If you've just published a record and the tool still shows the old one, wait a few minutes and re-submit.

SPF alone is not enough. SPF authenticates the sending server; DKIM authenticates the message content with a cryptographic signature; DMARC tells receivers what to do when either fails — and is what mailbox providers actually use to enforce policy on spoofed mail. SPF + DKIM + DMARC is the canonical setup. Once your SPF is solid, head to the DMARC Record Generator to publish DMARC, and the DKIM setup guide for the third leg.

No — every DNS lookup is made directly from your browser to Google's public DNS-over-HTTPS endpoint (dns.google/resolve). The tool has no backend; nothing about your domain or sender configuration is sent to InboxAlly's servers. The record stays in your browser until you copy it.

A passing SPF check is one of three signals (alongside DKIM and DMARC alignment) that mailbox providers use to decide whether your mail is legitimate. Domains with no SPF — or with broken SPF (over 10 lookups, multiple records, +all) — are treated as unauthenticated, and Gmail, Yahoo, and Microsoft progressively downgrade unauthenticated mail toward the spam folder. Publishing valid SPF is the lowest-effort, highest-impact deliverability fix most senders can make.