SPF Record Generator
Builds the TXT record for SPF authentication based on which services send mail for your domain. Output is the exact DNS record you paste into your domain registrar.
v=spf1 include:_spf.google.com ~allCombines selected services (Google Workspace, Microsoft 365, Mailgun, SendGrid, others) into a single SPF v=spf1 record with the appropriate include directives and policy suffix (~all, -all, or ?all).
Setting up a new sending domain. Updating SPF after adding a new SaaS sender (CRM, email marketing tool, transactional email).
How to use it
- 1Check the services that send mail for your domainGoogle Workspace, Microsoft 365, plus any third-party (Mailgun, SendGrid, Outsolvi, Outlook plug-ins).
- 2Add custom sending IPsIf you have a self-hosted MTA or a dedicated IP from your ESP, paste it in.
- 3Pick the policy~all to start (softfail, recommended). Tighten later.
- 4Copy the generated TXT record into DNSAdd as a TXT record at the root of your domain. Use dig or nslookup to verify propagation.
Common use cases
- •Standing up a new sending domain on Google Workspace or Microsoft 365
- •Adding a new transactional sender (SendGrid, Postmark, Mailgun) to existing SPF
- •Tightening from ~all to -all after a monitoring period
- •Auditing why mail is landing in spam at Gmail and Microsoft despite working setup
FAQ
What's the difference between ~all, -all, and ?all?+
~all (softfail) tells receivers to mark unauthenticated mail as suspicious but still deliver. -all (hardfail) tells receivers to reject. ?all (neutral) tells receivers no opinion. Start with ~all when configuring; tighten to -all only after monitoring for 2-4 weeks.
Can I have multiple SPF records?+
No — multiple SPF records on the same domain is a configuration error. Combine all senders into one record with multiple include directives.
What about DKIM and DMARC?+
SPF is one of three. See our DKIM record validator and DMARC policy generator tools. All three are essentially required in 2026 per the 2024 Google + Microsoft tightening.
What happens if my SPF record is too long?+
DNS TXT records have a 255-character per-string limit and a 10-DNS-lookup limit. Most providers consolidate via flattening services like dmarcian or EasyDMARC. If your record approaches either limit, the generator will warn you.
Do I need SPF if I'm only sending from Gmail or Microsoft 365?+
Yes. Even single-provider sending requires SPF for Gmail/Microsoft to authenticate the from-domain alignment under DMARC. Without it, your DMARC policy won't apply protection.
What's the worst-case outcome of getting SPF wrong?+
Legitimate mail rejected by recipient servers. Specifically: if you set ~all or -all but your SPF doesn't include all real senders, those senders' mail starts landing in spam (or rejected). Start with ~all, monitor DMARC aggregate reports for 14 days, then tighten.
Keep going
Articles, glossary entries, and other tools on the same topic.
Record generated. Now make sure it actually passes on real sends.
A correct DNS record on paper still fails 12% of the time at the receiver. Outsolvi watches every send and flags auth failures, opens that look like proxies, and bounces in real time. From $7/user/mo yearly.
Verify on a real sendNate built Outsolvi after watching every email-tracking tool he had ever used lie to him about opens. Outsolvi runs Tier 1 to 5 confidence scoring on every open, native in Outlook and Gmail, so the number on the dashboard is one a rep can actually act on.
We update these pages when the underlying mechanics change — new mailbox-provider rules, new tracker behavior, new measurement gaps. The dates above are real revisions, not auto-touches.