π SPF Record Builder
Generate a valid SPF TXT record for your domain
π§ Related Tools
1. Start from existing SPF (optional)
Paste your current SPF record to prefill the options below.
2. Email Providers
3. Custom Includes
One include domain per line (e.g. _spf.example.com)
4. Your Mail Server IPs
One IP or CIDR range per line (IPv4 or IPv6)
5. Mechanisms
6. All Mechanism
Generated SPF Record
Add this as a TXT record at your domain root (e.g. @ or yourdomain.com).
Need help with your SPF setup?
Frequently Asked Questions
What is SPF?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. Receiving mail servers check SPF to verify that an incoming email came from a server you have approved. Without SPF, anyone can send email claiming to be from your domain, making your domain vulnerable to spoofing. SPF is one of the three email authentication standards (alongside DKIM and DMARC) required by Google and Yahoo for bulk senders.
Should I use ~all or -all?
~all (SoftFail) is recommended for most deployments. Emails from unauthorised servers will be flagged but not outright rejected, reducing the risk of accidentally blocking legitimate email (e.g. from a forwarding service or a third-party sender you forgot to include). Once you are confident your SPF record includes all your legitimate senders, you may consider switching to -all (Fail) for stricter enforcement. However, -all can cause problems with email forwarding chains. Consult your DMARC reports before tightening the policy.
What is the 10 DNS lookup limit?
SPF allows a maximum of 10 DNS lookups during evaluation. Each include:, a, and mx mechanism triggers at least one lookup. If your record exceeds 10 lookups, SPF evaluation returns a "PermError" and fails β even for legitimate email. This is a hard limit defined in RFC 7208. If you use many email services, you may need to "flatten" your SPF record (replace include: references with the actual IP ranges) or use a service that automatically manages SPF flattening.
Do I need both SPF and DMARC?
Yes. SPF on its own does not prevent spoofing β SPF checks the "envelope from" address (the technical bounce address) rather than the visible From: address in the email client. An attacker can pass SPF while still spoofing the visible From: header. DMARC adds "alignment" β it requires that the authenticated domain matches the visible From: address. DMARC also provides reporting so you can see who is sending email as your domain. For meaningful protection against phishing and spoofing, you need SPF + DKIM + DMARC working together.
Privacy Policy
Data Collection: This SPF Record Builder processes data to provide results. The SPF builder runs entirely in your browser. No data you enter is transmitted to our servers unless you submit a support request. We do not store, log, or share the domain names or data you submit beyond what is necessary to return your results.
Data Usage: Your input is used solely to generate results. No data is saved, analysed for profiling, or shared with third parties. Each new check operates independently.
DNS Lookups: To check your domain, we perform DNS queries via Google's DNS-over-HTTPS (dns.google). These queries are subject to Google's Privacy Policy. Only the domain name is transmitted β no personally identifiable information.
Support Requests: If you submit a support request, your name, email address, and message are transmitted securely to our support team via SMTP2Go. This information is used solely to respond to your query.
Analytics: We may collect anonymized usage statistics (page views, tool usage frequency) to improve functionality. This does not include the domain names you check or any personally identifiable information.
Contact: For privacy enquiries or questions, please contact us at support@osh.co.za or visit osh.co.za/contact.