Build an SPF policy for your domain. Add senders, includes, and failover choices easily here. Get a ready record, checks, and export tools instantly.
| Scenario | Inputs (summary) | Generated SPF (example) |
|---|---|---|
| Workspace + Web App | include: _spf.google.com; ip4: 198.51.100.0/24; ~all | v=spf1 include:_spf.google.com ip4:198.51.100.0/24 ~all |
| Microsoft 365 rollout | include: spf.protection.outlook.com; a; mx; ~all | v=spf1 include:spf.protection.outlook.com a mx ~all |
| Strict enforcement | a:mail.example.com; ip6:2001:db8::/32; -all | v=spf1 a:mail.example.com ip6:2001:db8::/32 -all |
The generator builds a policy string using this structure:
SPF aligns envelope sender domains with approved outbound infrastructure. When receivers evaluate a message, they compare the sending IP against mechanisms like include, a, mx, ip4, and ip6. A tight policy reduces spoofing and supports mailbox provider reputation scoring across large volumes.
Static IP ranges (ip4/ip6) provide deterministic outcomes and do not add DNS lookups. By contrast, a, mx, and include require DNS queries during evaluation. This calculator displays an estimated lookup count to help maintain reliability, especially when using multiple email platforms simultaneously.
Many evaluators enforce a practical maximum of 10 DNS lookups per SPF check. Exceeding that threshold can yield a permanent error, which may break authentication for valid senders. Consolidating includes, removing unused mechanisms, and preferring direct IP authorization can keep the policy within budget.
The all mechanism defines the default result. Softfail (~all) is commonly used during rollout because it signals suspicion without immediate rejection. After monitoring for several days and confirming every sender is covered, switching to fail (-all) strengthens enforcement and reduces abuse opportunities.
TXT strings often have a 255-character segment limit at the DNS layer, even if providers display longer records by splitting segments. Long policies can be brittle during migrations. Keeping records compact, avoiding ptr, and limiting optional modifiers improves cross-provider compatibility and simplifies change control.
SPF works best alongside DKIM and DMARC. DKIM confirms message integrity, while DMARC uses SPF and DKIM alignment to decide enforcement. Use the exports to document decisions: store the SPF record, lookup estimate, and warnings as part of your security baseline and audit evidence.
It approximates how many DNS queries evaluators may perform for include, a, mx, exists, ptr, and redirect. Keeping this near or under 10 improves reliability and reduces the chance of SPF PermError outcomes.
Start with ~all to observe authentication results without hard blocking. After you confirm every sender is authorized and logs look clean, move to -all to enforce stricter protection.
PTR checks depend on reverse DNS and often trigger slow or inconsistent lookups. They can raise evaluation cost and may reduce deliverability. Prefer ip4/ip6 and well-scoped includes instead.
Use redirect when one domain should fully inherit another domain’s SPF policy. It is best for centralized management. Avoid mixing redirect with heavy include chains, as it can increase lookup usage.
EXP points to a TXT record containing an explanation string for failures. It is rarely needed, but it can help internal troubleshooting. It does not replace DMARC reporting and should be used carefully.
Not directly. SPF validates the envelope sender domain. DMARC is designed to align SPF and DKIM with the visible From domain. For user-facing spoofing resistance, deploy DMARC with monitoring and enforcement.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.