Can I have more than one SPF record?

No. Publish one SPF TXT record for a domain. If you use multiple senders, merge their mechanisms into a single v=spf1 record.

What SPF record do I need for Google Workspace or Gmail?

Use v=spf1 include:_spf.google.com ~all when Google is the only sender. If other providers also send for the domain, merge the Google include into one shared SPF record.

What does the SPF 10 DNS lookup limit mean?

SPF allows up to 10 DNS lookup mechanisms during evaluation. Evaluation can fail when a record exceeds 10, including nested provider records.

Should I use ~all or -all?

Use ~all while testing or while you are not sure every sender is included. Use -all only after you have confirmed all legitimate providers and IPs are covered.

Do Resend, Postmark, Mailchimp, and HubSpot use fixed SPF includes?

Not always. Some providers generate account-specific records or no longer require a generic SPF include. Use the exact value shown in the provider's domain setup screen.

SPF Record Generator

Generate and check an SPF record.

Create one SPF TXT record for Google Workspace, Gmail, SendGrid, Microsoft 365, Amazon SES, and custom senders. Check existing DNS, merge safely, and avoid the 10-lookup limit.

No signup
Provider-specific
DNS merge checks

Build your SPF record

Pick the services that send email for your domain. We keep the result to one TXT record and warn before you reach the SPF lookup limit.

Which services send your email?

SPF record

Your SPF record

v=spf1 include:_spf.google.com ~all

DNS lookups1 of 10

PolicySoft fail (~all)

Receivers accept your listed senders and treat anything else as suspicious. It's the safe default while you finish adding senders.

Add it as a TXT record on your domain's root (host @).

Ready to publish. Copy the record above and add it to your DNS.

Basics

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers and providers allowed to send email for your domain. Receiving servers read it to help confirm a message really came from you, which protects your domain from spoofing and helps your email reach the inbox.

You publish one SPF record per domain. When several providers send your mail, you merge them all into that single record instead of adding a separate record for each one.

How to

How do you create an SPF record?

Create one TXT record that starts with v=spf1, add every provider and sending IP that sends your mail, then end with an all policy. Keep it to one record and stay under 10 DNS lookups.

1
List who sends your email
Write down every service that sends email from your domain, such as Google Workspace, Microsoft 365, SendGrid, or your own mail server.
2
Start one record with v=spf1
Every SPF record begins with v=spf1, and you publish only one SPF record per domain.
3
Add each sender
Add the include value for each provider, like include:_spf.google.com, plus any sending IPs using ip4 or ip6.
4
Set the policy
End the record with ~all while you test, then switch to -all once every legitimate sender is covered.
5
Stay under 10 DNS lookups
SPF allows up to 10 DNS lookups during evaluation, so remove senders you no longer use to keep the record working.
6
Publish one TXT record
Add the finished value as a single TXT record on your domain's root, then verify it before switching to a strict policy.

Provider setup

What SPF record do I need for each provider?

Most providers publish a fixed SPF include you can drop straight into your record. A few generate an account-specific value instead, so you copy that one from the provider's own setup screen. Find yours in the table below.

Provider	SPF record to add	When to use it
Google Workspace	`include:_spf.google.com`	Use include:_spf.google.com when your domain sends mail through Google Workspace. Merge it into one record if you also use another provider.
Gmail	`include:_spf.google.com`	For a custom domain sending through Gmail or Google Workspace, use the same Google include. Personal @gmail.com addresses do not need your domain's SPF record.
SendGrid	`include:sendgrid.net`	SendGrid can use include:sendgrid.net for manual sender authentication. If your SendGrid account shows a different setup, use the account-specific DNS values.
Microsoft 365	`include:spf.protection.outlook.com`	Use include:spf.protection.outlook.com when Microsoft 365 is allowed to send for your domain.
Amazon SES	`include:amazonses.com`	Use include:amazonses.com only for the domain or custom MAIL FROM setup Amazon SES tells you to authenticate.
Resend	`Provider-generated value`	Resend shows the SPF TXT value during domain setup. Add that exact provider-generated value instead of guessing a root-domain include.
Postmark	`Not required`	Postmark does not require adding a generic SPF include to your root domain for normal sender signature setup.
Mailchimp	`Provider-generated value`	Mailchimp authentication is account-specific. Use the records Mailchimp shows for your sending domain.
HubSpot	`Provider-generated value`	HubSpot generates DNS records for each sending domain. Copy the SPF-related value from your HubSpot domain setup screen.

Common mistakes

What to avoid before you publish SPF.

Publishing two SPF records

Receivers can treat multiple v=spf1 TXT records as a permanent error. Merge every sender into one record.

Adding providers you no longer use

Old includes increase DNS lookups and authorize senders you may not control anymore.

Using +all

+all allows every server to send for your domain. Use it only when intentionally testing a throwaway domain.

Ignoring provider-specific setup

Some providers generate exact DNS values per account or subdomain. Do not replace those with a generic include.

Common questions

SPF record questions, answered.

Short answers for setup, provider includes, and DNS lookup limits.

What is an SPF record?: An SPF record is a DNS TXT record that lists the servers and providers allowed to send email for a domain.
Can I have more than one SPF record?: No. Publish one SPF TXT record for a domain. If you use multiple senders, merge their mechanisms into a single v=spf1 record.
What SPF record do I need for Google Workspace or Gmail?: Use v=spf1 include:_spf.google.com ~all when Google is the only sender. If other providers also send for the domain, merge the Google include into one shared SPF record.
What does the SPF 10 DNS lookup limit mean?: SPF allows up to 10 DNS lookup mechanisms during evaluation. Evaluation can fail when a record exceeds 10, including nested provider records.
Should I use ~all or -all?: Use ~all while testing or while you are not sure every sender is included. Use -all only after you have confirmed all legitimate providers and IPs are covered.
Do Resend, Postmark, Mailchimp, and HubSpot use fixed SPF includes?: Not always. Some providers generate account-specific records or no longer require a generic SPF include. Use the exact value shown in the provider's domain setup screen.

References

SPF and sender authentication references

Fix it with Dreamlit

Sender authentication is only one part of production email.

Dreamlit handles the rest. It turns your database changes into end-to-end email workflows you describe in plain English, then previews them with live data before you publish. No cron jobs, no webhooks, no notification plumbing to wire up by hand.

Build email workflows