Skip to content

SPF (Sender Policy Framework) lets you declare which mail servers are authorized to send email for your domain. Receiving servers check the sending IP against your SPF record — if it doesn't match, the message may be rejected or marked as spam. A well-configured SPF record protects your domain from spoofing and improves deliverability.

Start by identifying all services that send mail as your domain: your own mail server, marketing platforms, transactional email services, CRM systems, and helpdesk tools. Missing a legitimate sender means their mail will fail SPF checks. Use DMARC aggregate reports (p=none) to discover senders you may have missed.

Quick Add Common Providers

Click to add. Each include counts toward your 10-lookup budget. Verified May 2025.

Not listed? Some providers (e.g., HubSpot) use CNAME-based SPF delegation instead of include: mechanisms. Check your provider's email authentication documentation for their specific setup instructions.

How to verify provider include values
Provider SPF include values can change. To verify the current value for any provider: (1) Check the provider's official email authentication documentation. (2) Confirm via DNS: dig TXT _spf.google.com (replace with provider's domain). (3) Look for the include mechanism in the response. These values were verified as of May 2025. Re-verify if your setup is older than 6 months.dig TXT _spf.google.com (replace with provider's domain). (3) Look for the include mechanism in the response. These values were verified as of May 2025. Re-verify if your setup is older than 6 months.
One per line. Each counts as 1 DNS lookup.
When to use include: vs ip4:
Use include: when authorizing a third-party service that manages its own IP ranges. Use ip4:/ip6: when authorizing specific servers you control with static IPs. Third-party service → include:. Your own static IP → ip4: or ip6:.
One per line. Does NOT count as a DNS lookup.
One per line. Does NOT count as a DNS lookup.
IP address and CIDR notation
Enter individual IPs or CIDR ranges. CIDR prefix length determines how many IPs are authorized. IP mechanisms do not count toward the 10-lookup limit (RFC 7208 §4.6.4).
What mx and a mechanisms do
mx authorizes all IPs your MX records resolve to. a authorizes IPs your domain's A/AAAA records resolve to. Both count toward the 10-lookup limit.
Understanding the all qualifier
The all mechanism matches everything not matched by previous mechanisms. -all (fail): unauthorized mail rejected. ~all (softfail): unauthorized mail flagged. ?all (neutral): no assertion. +all (pass): everyone authorized — defeats SPF entirely.

Generated Record

Add this TXT record to your DNS at @ (root domain):@ (root domain):

v=spf1 -all

Top-level count only. Nested includes (e.g., Google ≈4, Microsoft ≈3-4) add to the real total. Use the SPF Flatten tool to check your actual count.SPF Flatten tool to check your actual count.

Why does SPF have a 10-lookup limit?
RFC 7208 §4.6.4 limits SPF evaluation to 10 DNS-querying mechanisms. Mechanisms that count: include, a, mx, ptr (deprecated), exists, and redirect. Mechanisms that do NOT count: ip4, ip6, all. Exceeding the limit causes permerror.

SPF record length limits
A single DNS TXT record character-string is limited to 255 bytes (RFC 1035 §3.3.14). Records longer than 255 bytes must be split into multiple strings within the SAME TXT record. Do NOT create multiple TXT records starting with v=spf1 — RFC 7208 §3.2 requires exactly one SPF record per domain.

Deployment Checklist

  1. Copy the generated TXT record above.
  2. Log in to your DNS hosting provider's control panel.
  3. Add a TXT record at @ (root domain) with the generated value. Set TTL to 3600 (1 hour) or lower during initial testing.@ (root domain) with the generated value. Set TTL to 3600 (1 hour) or lower during initial testing.
  4. Wait 5-10 minutes for DNS propagation (or up to the TTL of any existing SPF record being replaced).
  5. Verify publication: dig TXT yourdomain.com — confirm the record appears with correct content.dig TXT yourdomain.com — confirm the record appears with correct content.
  6. Test: Send a test email and check the Authentication-Results header for spf=pass.Authentication-Results header for spf=pass.
  7. Monitor: Deploy DMARC with p=none and an rua address to monitor SPF results across all senders.p=none and an rua address to monitor SPF results across all senders.