Build an SPF record by combining: v=spf1 + mechanisms for each sender + qualifier. Start with v=spf1, add include:esp-domain.com for each email service, and end with ~all or -all. Example: v=spf1 include:_spf.google.com include:sendgrid.net ~all. Count DNS lookups to stay under 10 total. Test with MXToolbox before publishing.
SPF Record Generator: How to Build One Manually
SPF Record Structure
Every SPF record follows this pattern:
v=spf1 [mechanisms] [qualifier]all
- v=spf1 — Version tag (required, always first)
- mechanisms — Rules for who can send (include, ip4, a, mx, etc.)
- qualifier + all — What to do with unlisted senders (~all, -all, ?all)
Step 1: List Your Email Senders
Before building your record, document every service that sends email from your domain:
| Category | Service | Include Statement |
|---|---|---|
| Primary email | Google Workspace | include:_spf.google.com |
| Transactional | SendGrid | include:sendgrid.net |
| Marketing | Mailchimp | include:servers.mcsv.net |
| CRM | HubSpot | include:_spf.hubspot.com |
Check your ESP's documentation for their include statement. Most are found under "Email Authentication" or "Domain Setup."
Step 2: Choose Your Mechanisms
include (Most Common)
Authorizes another domain's SPF record. When an ESP says "add this to your SPF," they mean include.
include:sendgrid.net
include:_spf.google.com
Each include triggers at least one DNS lookup (often more due to nesting).
ip4 and ip6
Authorizes specific IP addresses:
ip4:192.168.1.1
ip4:192.168.1.0/24
ip6:2001:db8::1
Use for dedicated IPs or self-hosted mail servers. Doesn't count toward the 10 lookup limit.
a
Authorizes the IP addresses in your domain's A record:
a
a:mail.yourdomain.com
Counts as one DNS lookup.
mx
Authorizes the IP addresses of your domain's MX servers:
mx
mx:yourdomain.com
Counts as one DNS lookup, plus one for each MX server resolved.
redirect
Completely replaces your SPF record with another domain's:
redirect=_spf.example.com
Use only when you want to fully delegate SPF to another domain. Don't combine with other mechanisms.
Practitioner note: I rarely recommend
redirectbecause it gives another domain complete control over your SPF policy. Useincludeinstead unless you're managing multiple domains that should share the same SPF config.
Step 3: Choose Your Qualifier
The qualifier goes before all and determines what happens to mail from unlisted senders:
| Qualifier | Result | Use Case |
|---|---|---|
-all | hardfail | Production — reject unlisted senders |
~all | softfail | Testing — mark suspicious but deliver |
?all | neutral | No policy — treated as if no SPF |
+all | pass | Dangerous — allows anyone (never use) |
Start with ~all while setting up. Switch to -all after verifying all senders pass.
Step 4: Build the Record
Combine your components:
Example 1: Single ESP (Google Workspace)
v=spf1 include:_spf.google.com ~all
Example 2: Email provider + transactional
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Example 3: Full marketing stack
v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net include:_spf.hubspot.com ~all
Example 4: With dedicated IP
v=spf1 include:_spf.google.com ip4:203.0.113.50 ~all
Step 5: Count DNS Lookups
SPF allows maximum 10 DNS lookups. Each include, a, mx, and redirect counts as at least one lookup. Nested includes add more.
Lookup costs:
include:sendgrid.net→ 1 lookup + whatever SendGrid's record includesinclude:_spf.google.com→ 1 lookup + Google's nested includes (~3 total)a→ 1 lookupmx→ 1 lookup + 1 per MX serverip4/ip6→ 0 lookups
To check your count:
- Use MXToolbox SPF Record Lookup
- Use dmarcian's SPF surveyor
- Manually trace with
dig TXT yourdomain.comand follow each include
Practitioner note: The lookup limit bites agencies hardest. I've seen setups with 4 includes that actually trigger 15+ lookups when you trace the nested records. Google Workspace alone uses 3-4 lookups. Always verify the total before going live.
Step 6: Validate Before Publishing
Use these tools to check your record:
MXToolbox SPF Record Lookup
- Enter your proposed record (before publishing)
- Shows syntax errors, lookup count, and nested includes
dmarcian SPF Surveyor
- Visualizes the include chain
- Shows exactly how lookups accumulate
Command line:
# Check what's currently published
dig TXT yourdomain.com +short
# Trace an include
dig TXT _spf.google.com +short
Step 7: Publish and Test
- Add TXT record in your DNS (host: @ or blank, value: your SPF string)
- Wait 15-30 minutes for propagation
- Verify with
dig TXT yourdomain.com +short - Send test email to Gmail
- Check headers for
spf=pass
Common Mistakes
Multiple SPF records: Only one per domain. Merge, don't add.
Missing v=spf1: Record must start with v=spf1 or it's ignored.
Exceeding 10 lookups: Causes permerror. Use SPF flattening to fix.
Wrong mechanism order: Order matters. Place mechanisms by priority. Receiving servers evaluate left to right.
Spaces around colons: include: sendgrid.net is invalid. No spaces.
If you're hitting the lookup limit or have a complex multi-sender setup, schedule a consultation and I'll build a clean SPF configuration that stays under the limit.
Sources
- RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email
- dmarcian: SPF Syntax
- MXToolbox: SPF Record Check
- IETF: SPF Record Testing Tools
v1.0 · March 2026
Frequently Asked Questions
How do I create an SPF record from scratch?
Start with v=spf1, add include statements for each email sender (e.g., include:sendgrid.net), and end with ~all. The final record looks like: v=spf1 include:_spf.google.com include:sendgrid.net ~all
What SPF mechanisms should I use?
Use include for ESPs (most common), ip4 for specific IP addresses, a for your domain's A record IP, and mx for your MX server IPs. Avoid redirect unless you want to delegate entirely to another domain's SPF.
How do I know if my SPF record is correct?
Use MXToolbox SPF Record Lookup or dmarcian's SPF surveyor. Check that lookup count is under 10, syntax is valid, and all your senders are included. Send test emails and verify spf=pass in headers.
What's the maximum SPF record length?
DNS TXT records have a 255-character limit per string, but multiple strings can be concatenated. The practical limit is around 450 characters. More importantly, you're limited to 10 DNS lookups—character length is rarely the problem.
Should I use an online SPF generator tool?
Online generators are fine for simple records but often don't count nested lookups correctly. Build manually for complex setups with 3+ senders, then validate with MXToolbox.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.