SPF Generator

List all mail servers sending from your domain: your mail server IPs, email service providers (Google, Microsoft), marketing tools (Mailchimp, SendGrid). Format: v=spf1 [mechanisms] [qualifier]all. Example: v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:spf.protection.outlook.com ~all. Add TXT record at root domain. Test: send email, check headers for SPF pass. Limit: 10 DNS lookups max. Use include: for third parties, not nested includes.

SPF qualifiers define handling for matching mechanisms. Four types: + (pass) - explicitly allowed, default if omitted. - (fail) - hard fail, reject email. ~ (softfail) - accept but mark suspicious. ? (neutral) - no policy. Example: v=spf1 ip4:192.0.2.0 ~all (allow IP, soft fail others). Recommendation: use ~all (softfail) initially, upgrade to -all (hard fail) after testing. Too strict -all causes false positives from forwarding.

SPF RFC limits DNS lookups to 10 to prevent DoS attacks. Mechanisms requiring lookups: include, a, mx, ptr (avoid ptr), exists. Does not count: ip4, ip6, all. Exceeding limit causes SPF permanent error (treated as no SPF). Solutions: flatten SPF (replace includes with IPs), use SPF flattening services, remove unnecessary includes, consolidate third-party senders. Monitor: SPF record size (<450 chars recommended), lookup count.

Use include: mechanism for third-party email services. Example: include:_spf.google.com for Google Workspace, include:spf.protection.outlook.com for Microsoft 365, include:servers.mcsv.net for Mailchimp. Each include counts toward 10 lookup limit. Order does not matter for includes. Verify: third party provides SPF include record. Multiple includes allowed. Test after adding: dig TXT domain.com, check SPF syntax, send test emails.

SPF failure means sending IP not authorized in SPF record. Result depends on: SPF qualifier (-all vs ~all), DMARC policy (none/quarantine/reject), receiving server policy. Outcomes: email rejected (DMARC p=reject), marked spam (p=quarantine), delivered with warning (~all). Legitimate failures: forwarding (breaks SPF, but DKIM survives), misconfigured SPF, missing include. Fix: update SPF record, configure forwarding (SRS), implement DKIM.

Start with ~all (softfail) for testing - accepts email but marks suspicious. Allows identifying legitimate senders missing from SPF. After 2-4 weeks monitoring: no false positives? Upgrade to -all (hard fail) for stronger protection. Use -all only if: confident SPF is complete, DKIM configured (survives forwarding), monitoring DMARC reports. Email forwarding breaks SPF - ~all prevents false positives. Modern approach: -all with DMARC alignment.

Forwarding breaks SPF - forwarded email sent from different IP than SPF authorizes. Solutions: 1) SRS (Sender Rewriting Scheme) - rewrites envelope sender to forwarder domain. 2) DKIM - survives forwarding, provides authentication. 3) Use ~all instead of -all in SPF. 4) Configure forwarders to use SRS. Best: implement SPF, DKIM, and DMARC. DMARC requires only one (SPF or DKIM) to pass. DKIM alignment handles forwarding.