What does ~all vs -all mean?

The 'all' mechanism at the end of the SPF record decides what to do with senders that aren't in the listed mechanisms. ~all is 'soft fail' — receivers usually mark such mail as suspicious but still accept it. -all is 'hard fail' — receivers reject it. ~all is the recommended starting point: it gives you DMARC reports of unauthorised senders without rejecting potentially legitimate mail you forgot to list. Once your reports show no unexpected senders for a few weeks, you can tighten to -all.

Can I have more than one SPF record?

No. A domain can publish exactly one SPF record. RFC 7208 explicitly says multiple v=spf1 records is a fatal error; receivers will treat the SPF check as permerror and most will reject the mail. If you need to authorise multiple sending sources, combine them into a single record using include: mechanisms — that's exactly what this tool builds.

What is the 10 DNS lookup limit?

Every include:, a, mx, exists:, and redirect= mechanism in an SPF record causes the receiver to do a DNS lookup, and the spec caps the total at 10 (this prevents amplification attacks). Going over 10 causes a permerror, which most receivers treat the same as a hard fail. ip4: and ip6: don't count toward the limit. If you're hitting 10, flatten your record by replacing some include: mechanisms with the IPs they expand to.

Where do I publish my SPF record?

Publish it as a single TXT record at the apex of your domain (i.e. at example.com, not at mail.example.com or @.example.com). Wait for DNS to propagate — typically a few minutes to an hour — then verify it with an SPF checker.

SPF Record Generator — Build SPF TXT Records (Free)

How does an SPF record actually work?

SPF (Sender Policy Framework) is a published list of who's allowed to send email from your domain. When a receiving mail server gets a message claiming to be from @example.com, it looks up the SPF TXT record for example.com and checks whether the connecting IP is in the list. If it isn't, the receiver applies whatever enforcement the record specifies — soft fail, hard fail, or neutral.

An SPF record always starts with v=spf1 and is a single space-separated string of mechanisms followed by an "all" qualifier at the end. The mechanisms are the things that authorise sending — a, mx, include:, ip4:, ip6: — and the qualifier is what to do with everyone else.

Should I start with -all or ~all?

Start with ~all. Soft fail tells receivers "this sender wasn't authorised, but maybe accept it anyway and treat it as suspicious." That's the right default while you're still discovering which third parties send email on your behalf — you'll see them in DMARC aggregate reports and can add them to the record before any legitimate mail breaks.

Once you've watched the reports for a few weeks and confirmed that every legitimate sender is in your record, tighten to -all. Hard fail tells receivers to reject anything not on the list, which is what you ultimately want.

The 10 DNS lookup gotcha

The SPF spec caps the number of DNS lookups a receiver will do while evaluating your record at 10. Every include:, a, mx, exists:, and redirect= mechanism counts. (Plain ip4: and ip6: don't.) Go over and receivers treat your record as permerror, which most reject.

It's easier to hit than you'd think — including Google Workspace, Microsoft 365, SendGrid, and Mailgun together is already 4 of your 10. If you cross the limit, the standard fix is "flattening" — replacing some include: mechanisms with the IPs they expand to, refreshed periodically. Our SPF checker shows the current lookup count for any domain.

Where does this go?

Publish the assembled record as a TXT record on your DNS provider, at the apex of the domain (just example.com). The record value is the literal string the generator outputs — most DNS providers will wrap it in quotes for you automatically. After publishing, give DNS a few minutes to settle, then verify with the SPF Checker.

Last reviewed by Network Lookup Team, June 2026.