{"id":8034,"date":"2026-07-10T21:54:20","date_gmt":"2026-07-10T21:54:20","guid":{"rendered":"https:\/\/www.warmy.io\/blog\/?p=8034"},"modified":"2026-07-10T21:56:27","modified_gmt":"2026-07-10T21:56:27","slug":"spf-record-generator-guide","status":"publish","type":"post","link":"https:\/\/www.warmy.io\/blog\/email-best-practices\/spf-record-generator-guide\/","title":{"rendered":"How to Create &amp; Check an SPF Record in 2026 (+Free Generator)"},"content":{"rendered":"\n<p><strong>TL;DR<\/strong><\/p>\n\n\n\n<p>An <a href=\"https:\/\/knowledge.workspace.google.com\/admin\/security\/about-spf-records?hl=es-419\" rel=\"noopener\" target=\"_blank\" rel=\"noopener noreferrer\">SPF record<\/a> is a single TXT record in your domain&#8217;s DNS that lists which servers are allowed to send email using your domain. To create one, publish a TXT record at your root domain that starts with v=spf1, add an include or IP for each sending service, and end with -all. To check it, run your domain through an SPF checker and confirm you have exactly one record, clean syntax, and fewer than 10 DNS lookups. You can generate an SPF record with Warmy&#8217;s free <a href=\"https:\/\/www.warmy.io\/free-tools\/spf-generator\/\" target=\"_blank\" rel=\"noopener noreferrer\">SPF generator.<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What an SPF record is<\/strong><\/h2>\n\n\n\n<p>Sender Policy Framework (SPF) is an email authentication standard defined in <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc7208\" rel=\"noopener\" target=\"_blank\" rel=\"noopener noreferrer\">RFC 7208<\/a>. An SPF record is a DNS TXT record that names the mail servers and services allowed to send email on behalf of your domain. When a message arrives, the receiving server looks up your SPF record and checks whether the sending server&#8217;s IP address is on your authorized list. If it is, the message passes SPF. If it is not, the result depends on how strict your record is.<\/p>\n\n\n\n<p>SPF matters because mailbox providers use it to decide whether a message is legitimate. Since February 2024, <a href=\"https:\/\/www.warmy.io\/blog\/email-deliverability\/gmail-bulk-sender-requirements-explained\/\" data-type=\"post\" data-id=\"7095\" target=\"_blank\" rel=\"noopener noreferrer\">Google and Yahoo have required bulk senders <\/a>to authenticate with SPF or DKIM, along with DMARC and one-click unsubscribe. Without valid authentication, messages get throttled, <a href=\"https:\/\/www.warmy.io\/blog\/outlook-seed-lists-ms365-deliverability-the-battle-between-new-and-established-lists\/\" title=\"How to Improve Email Deliverability &amp; Avoid Spam Filters in MS365\" data-wpil-monitor-id=\"29\" target=\"_blank\" rel=\"noopener noreferrer\">filtered to spam<\/a>, or rejected. <\/p>\n\n\n\n<p>One detail trips up many senders: SPF checks the Return-Path address, also called the envelope sender, not the visible From address. That is why SPF can pass while DMARC still fails, and why SPF works best alongside DKIM and DMARC rather than on its own.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to create an SPF record<\/strong><\/h2>\n\n\n\n<div id=\"yt-bXxcDJa84uA\"\n     class=\"yt-facade wp-block-warmy-youtube-video\"\n     data-yt-id=\"bXxcDJa84uA\"\n     data-yt-embed=\"https:\/\/www.youtube.com\/embed\/bXxcDJa84uA?autoplay=1&#038;rel=0\"\n     role=\"button\"\n     tabindex=\"0\"\n     aria-label=\"How to Set Up SPF, DKIM, and DMARC for Gmail in 2026 (google workspace)\">\n\n\t<img class=\"yt-facade__thumb\" src=\"https:\/\/i.ytimg.com\/vi\/bXxcDJa84uA\/maxresdefault.jpg\" onerror=\"this.src=&#039;https:\/\/i.ytimg.com\/vi\/bXxcDJa84uA\/hqdefault.jpg&#039;\" alt=\"How to Set Up SPF, DKIM, and DMARC for Gmail in 2026 (google workspace)\" loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"720\" title=\"\">\n\n\t<span class=\"yt-facade__play\" aria-hidden=\"true\">\n\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 68 48\" width=\"68\" height=\"48\">\n\t\t\t<path class=\"yt-facade__play-bg\" d=\"M66.5 7.7c-.8-2.9-2.9-5-5.8-5.8C55.8 0 34 0 34 0S12.2 0 7.3 1.9C4.4 2.7 2.3 4.8 1.5 7.7 0 12.6 0 24 0 24s0 11.4 1.5 16.3c.8 2.9 2.9 5 5.8 5.8C12.2 48 34 48 34 48s21.8 0 26.7-1.9c2.9-.8 5-2.9 5.8-5.8C68 35.4 68 24 68 24s0-11.4-1.5-16.3z\"\/>\n\t\t\t<path class=\"yt-facade__play-icon\" d=\"M45 24 27 14v20z\"\/>\n\t\t<\/svg>\n\t<\/span>\n\n<\/div>\n\n<script type=\"application\/ld+json\">{\"@context\":\"https:\/\/schema.org\",\"@type\":\"VideoObject\",\"name\":\"How to Set Up SPF, DKIM, and DMARC for Gmail in 2026 (google workspace)\",\"embedUrl\":\"https:\/\/www.youtube.com\/embed\/bXxcDJa84uA\",\"url\":\"https:\/\/www.youtube.com\/watch?v=bXxcDJa84uA\",\"thumbnailUrl\":\"https:\/\/i.ytimg.com\/vi\/bXxcDJa84uA\/maxresdefault.jpg\",\"description\":\"\ud83e\udde1 Fix your email deliverability performance (7-day free trial) - https:\/\/warmy.psee.io\/8h9bz3\\r\\n\\r\\n\ud83d\udc47 Free Tools Mentioned\\r\\nSPF Record Generator - https:\/\/warmy.io\/free-tools\/spf-gener...\\r\\nDMARC Record Generator - https:\/\/warmy.io\/free-tools\/dmarc-gen...\\r\\nGoogle Toolbox Checker - https:\/\/toolbox.googleapps.com\/apps\/c...\\r\\n\\r\\n0:00 Intro\\r\\n0:26 How to set up SPF\\r\\n1:46 How to set up DMARC\\r\\n2:34 How to set up DKIM\\r\\n\",\"uploadDate\":\"2025-07-28\"}<\/script>\n\n\n\n<p>Creating an SPF record comes down to publishing one TXT record with the right contents. Here is the process.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Audit your sending sources.<\/strong> List every service that sends email using your domain, including your mailbox provider, marketing platform, transactional email service, CRM, and support desk. Each one needs to be authorized.<\/li>\n\n\n\n<li><strong>Open your DNS host.<\/strong> Log in wherever your DNS is managed, which is your registrar or DNS provider such as Cloudflare or GoDaddy. This is often not the same <a href=\"https:\/\/www.warmy.io\/blog\/overview-of-popular-providers-and-which-companies-will-use-them\/\" title=\"Popular Email Providers and Which Companies Use Each One\" data-wpil-monitor-id=\"28\" target=\"_blank\" rel=\"noopener noreferrer\">company that provides your email<\/a>, and it is not inside your email admin console.<\/li>\n\n\n\n<li><strong>Create a TXT record at the root domain.<\/strong> Set the host or name field to @ (or your domain) and the type to TXT.<\/li>\n\n\n\n<li><strong>Write the record.<\/strong> Start with the version tag, add a mechanism for each sender, and finish with an all mechanism.<\/li>\n<\/ol>\n\n\n\n<p>The building blocks are mechanisms and qualifiers. The common mechanisms are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>include<\/strong>: authorizes another service&#8217;s SPF record, used for most email service providers.<\/li>\n\n\n\n<li><strong>ip4: and ip6<\/strong>: authorize specific IP addresses or ranges directly.<\/li>\n\n\n\n<li>a and mx authorize the IPs behind your domain&#8217;s A or MX records.<\/li>\n<\/ul>\n\n\n\n<p>The all mechanism at the end sets the default for anything that did not match, and its qualifier decides how strict you are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>-all (hardfail)<\/strong> tells receivers to <a href=\"https:\/\/www.warmy.io\/blog\/how-to-fix-smtp-email-error-501-5-7-1-solved\/\" title=\"SMTP Error 501 5.7.1: Sender Policy Rejection or Unauthorized Address &#8211; Causes and Fixes\" data-wpil-monitor-id=\"27\" target=\"_blank\" rel=\"noopener noreferrer\">reject unauthorized senders<\/a>. Use this for production.<\/li>\n\n\n\n<li><strong>~all (softfail)<\/strong> marks unauthorized mail as suspicious but usually still delivers it. Google suggests starting here while you confirm every sender, then tightening to -all.<\/li>\n\n\n\n<li><strong>?all (neutral)<\/strong> makes no assertion, which offers little protection.<\/li>\n\n\n\n<li><strong>+all <\/strong>authorizes the entire internet to send as you. Never use it.<\/li>\n<\/ul>\n\n\n\n<p>A few real examples. Google Workspace only:<\/p>\n\n\n\n<p>v=spf1 include:_spf.google.com -all<\/p>\n\n\n\n<p>Google Workspace plus SendGrid and Microsoft 365:<\/p>\n\n\n\n<p>v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com -all<\/p>\n\n\n\n<p>Your own static mail servers by IP:<\/p>\n\n\n\n<p>v=spf1 ip4:203.0.117.4 ip4:198.59.105.0\/24 -all<\/p>\n\n\n\n<p>Publish only one SPF record per domain. If you add a new sender later, merge it into the existing record rather than creating a second one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common mistakes and the 10-lookup limit<\/strong><\/h2>\n\n\n\n<p>The single most common SPF failure is the 10-lookup limit. RFC 7208 caps SPF evaluation at 10 DNS-querying mechanisms per check. Every include, a, mx, ptr, and exists counts toward that total, and the includes inside a provider&#8217;s record count too. The ip4, ip6, and all mechanisms do not count, since they need no DNS query.<\/p>\n\n\n\n<p>When a receiver hits the eleventh lookup, SPF returns a PermError, which is a permanent failure. Receivers treat it as an SPF fail, and DMARC treats it the same way, so legitimate mail can be quarantined or rejected. Microsoft environments enforce this strictly, so senders to Microsoft 365 feel it fast.<\/p>\n\n\n\n<p>What makes this dangerous is that your record can break without you touching it. Each include pulls in whatever the provider lists, and providers change their records without notice. A record that used nine lookups yesterday can exceed the limit today.<\/p>\n\n\n\n<p>To stay under the limit:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remove services you no longer use. Old includes are common dead weight.<\/li>\n\n\n\n<li>Replace include with ip4 or ip6 for senders that give you stable, dedicated IPs.<\/li>\n\n\n\n<li>Avoid the a and mx mechanisms when you do not need them, and never use the deprecated ptr mechanism.<\/li>\n\n\n\n<li>Split marketing and transactional sending onto separate subdomains, since each subdomain gets its own 10-lookup budget.<\/li>\n<\/ul>\n\n\n\n<p>Other mistakes to avoid: publishing two SPF records on one domain, which also causes a PermError; leaving a space inside a mechanism such as include: domain.com; and adding vendor includes that never get checked because the vendor uses its own Return-Path. Check the Return-Path in a real message before adding any include.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to check and verify your SPF record<\/strong><\/h2>\n\n\n\n<p>After you publish, verify the record before you trust it. A good SPF checker performs a live DNS lookup, confirms you have exactly one record, validates the syntax against RFC 7208, counts your DNS lookups, and flags errors.<\/p>\n\n\n\n<p>Confirm three things every time:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Syntax is clean, the record starts with v=spf1, and it ends with an all mechanism.<\/li>\n\n\n\n<li>Every mechanism resolves, with no typos in include domains.<\/li>\n\n\n\n<li>The total lookup count is under 10, ideally with room to spare.<\/li>\n<\/ul>\n\n\n\n<p>DNS changes can take up to 48 hours to propagate, though most resolvers pick them up within about 15 to 30 minutes. Recheck after any change to a sending service, since a provider-side update can quietly push you over the limit. Pairing SPF with a DMARC record set to p=none also gives you aggregate reports that reveal senders you forgot and alert you when something breaks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Free SPF generator and checker from Warmy<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"995\" height=\"651\" src=\"https:\/\/www.warmy.io\/blog\/wp-content\/uploads\/2024\/07\/SPF-generator.png\" alt=\"SPF generator\" class=\"wp-image-7030\" title=\"\" srcset=\"https:\/\/www.warmy.io\/blog\/wp-content\/uploads\/2024\/07\/SPF-generator.png 995w, https:\/\/www.warmy.io\/blog\/wp-content\/uploads\/2024\/07\/SPF-generator-300x196.png 300w, https:\/\/www.warmy.io\/blog\/wp-content\/uploads\/2024\/07\/SPF-generator-768x502.png 768w\" sizes=\"auto, (max-width: 995px) 100vw, 995px\" \/><\/figure>\n\n\n\n<p>Warmy&#8217;s <a href=\"https:\/\/www.warmy.io\/free-tools\/spf-generator\/\" target=\"_blank\" rel=\"noopener noreferrer\">free SPF generator<\/a> builds a valid record in four steps: enter your domain, choose your email service provider, add your email address, and generate the record. You copy the result into a TXT <a href=\"https:\/\/www.warmy.io\/blog\/what-are-dns-mx-record-dns-a-record-rdns-and-how-does-it-work\/\" title=\"What are DNS MX record, DNS A-record, rDNS and How Do They Work?\" data-wpil-monitor-id=\"30\" target=\"_blank\" rel=\"noopener noreferrer\">record at your DNS<\/a> host, and the tool handles the syntax so you avoid the small errors that break authentication.<\/p>\n\n\n\n<p>For verification, Warmy users who connect a mailbox can run a built-in DNS test inside the platform that checks <a href=\"https:\/\/www.warmy.io\/blog\/spf-dkim-and-dmarc-what-they-are-and-why-you-should-care\/\" data-type=\"post\" data-id=\"4072\" target=\"_blank\" rel=\"noopener noreferrer\">SPF, DKIM, and DMARC <\/a>together, with no third-party tools required. The number of tests depends on your plan. <\/p>\n\n\n\n<p>Because SPF only covers part of the picture, it works best next to DKIM, DMARC, and a warmed sending domain. A valid SPF record helps a message qualify for the inbox. Reputation and engagement still decide whether it lands there.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR An SPF record is a single TXT record in your domain&#8217;s DNS that lists which servers are allowed to send email using your domain. To create one, publish a TXT record at your root domain that starts with v=spf1, add an include or IP for each sending service, and end with -all. To check [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8036,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[120],"tags":[],"class_list":["post-8034","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-email-best-practices"],"acf":[],"lang":"en","translations":{"en":8034},"pll_sync_post":[],"_links":{"self":[{"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/posts\/8034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/comments?post=8034"}],"version-history":[{"count":5,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/posts\/8034\/revisions"}],"predecessor-version":[{"id":8040,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/posts\/8034\/revisions\/8040"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/media\/8036"}],"wp:attachment":[{"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/media?parent=8034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/categories?post=8034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.warmy.io\/blog\/wp-json\/wp\/v2\/tags?post=8034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}