SPF Builder Tool

The SPF Builder makes constructing a correct Sender Policy Framework (SPF) record simple and safe. Build your record piece by piece, validate the syntax, and avoid the DNS lookup limit.

What is SPF?

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses can send email from your domain.

Example:


v=spf1 include:sendgrid.net include:mailchimp.com ~all

This says: "Only SendGrid, Mailchimp, and my own mail servers can send from @example.com"

Accessing the Tool

  1. Log in to SpoofWard
  2. Go to Tools → SPF Builder
  3. You'll see an interactive builder

Building Your SPF Record

Step 1: Load Existing Record (Optional)

If you have a current SPF record:

  1. Copy your SPF record from DNS
  2. Paste into the "Load Record" field
  3. Click "Load"

The tool parses your record and shows each component.

If no existing record, start fresh.

Step 2: Add Components

The tool shows available components:

Known Services - Dropdown list:

  • SendGrid
  • Mailchimp
  • HubSpot
  • Office 365
  • Google Workspace
  • Salesforce
  • And many more

To add:

  1. Select service from dropdown
  2. Click "Add to SPF"
  3. Tool adds the correct include: statement
  4. Shows impact on DNS lookup count

Custom IP Address:

  1. Click "Add Custom IP"
  2. Enter IP address (IPv4 or IPv6)
  3. Choose /32 (single IP) or /24 (subnet)
  4. Click "Add"
  5. Tool adds ip4: or ip6: statement

Custom Include:

  1. Click "Add Custom"
  2. Enter the include domain
  3. Click "Add"
  4. Tool adds include: statement

Step 3: Monitor DNS Lookups

As you add components, the tool shows:

DNS Lookup Count - Current total (shown as: 3/10)

Component Breakdown:

  • Each service shows how many lookups it needs
  • Some are 1 lookup, some are 2-3
  • Total can't exceed 10

When you exceed limit:

  • Tool shows red warning
  • Suggests which components to remove
  • Recommends SPF Flattener tool

Step 4: Review Record

See your complete record:


v=spf1 include:sendgrid.net include:mailchimp.com ip4:203.0.113.5 ~all

Components:

  • v=spf1 - Version (always first)
  • include: statements - Mail services
  • ip4: / ip6: - Individual IPs
  • ~all or -all - Catch-all policy

Step 5: Choose Catch-All Policy

Soft Fail (~all) - Recommended for most

  • Non-matching mail gets lower score, still delivered
  • Safe for initial setup

Hard Fail (-all) - Strict policy

  • Non-matching mail is rejected
  • Use only when you're 100% sure of all senders

Other options (advanced):

  • ?all - Neutral (rarely used)
  • +all - Accept all (not recommended, defeats SPF purpose)

Step 6: Test & Deploy

Before publishing to DNS:

  1. Preview - See the complete record
  2. Validate Syntax - Tool checks for errors
  3. DNS Lookup Count - Ensure it's under 10
  4. Comparison - See what changed from previous record

Then:

  1. Copy the record
  2. Go to your DNS provider
  3. Find your SPF record (at root domain, not subdomain)
  4. Update (or create if new)
  5. Save changes
  6. Wait 24-48 hours for propagation

SPF Components Explained

Version (v=spf1)

Always the first component. Indicates SPF version 1.

Include Statements (include:)

Includes another domain's SPF record:


include:sendgrid.net

This tells receivers: "Check sendgrid.net's SPF record for authorized IPs."

Why use includes?

  • Service maintains their IPs
  • You don't have to manually update
  • Cleaner, fewer DNS lookups

Common includes:

  • include:sendgrid.net - SendGrid
  • include:mailchimp.com - Mailchimp
  • include:_spf.google.com - Google Workspace
  • include:protection.outlook.com - Office 365

IP Addresses (ip4: / ip6:)

Specify exact IP addresses:


ip4:203.0.113.5
ip6:2001:db8::1

When to use:

  • Your own mail server
  • VPN or cloud server with static IP
  • Services that don't provide includes

Subnets:


ip4:203.0.113.0/24

This authorizes all IPs in the 203.0.113.x range.

Be Specific

Don't use overly broad subnets. /24 is usually sufficient; avoid /16 or larger.

Mechanism Prefixes

Control how each component is evaluated:

+ (Pass) - Default, implicit


include:sendgrid.net    [equivalent to +include:sendgrid.net]

- (Fail) - This is not authorized


-ip4:192.0.2.0/24

~ (Softfail) - Not ideal but acceptable


~ip4:192.0.2.0/24

? (Neutral) - No policy


?all

Catch-All (all:)

Handles any IP not matched by previous components:

~all (softfail) - Recommended

  • Unmatched mail gets lower score
  • Still gets delivered
  • Safe default

-all (hard fail) - Strict

  • Unmatched mail is rejected
  • Use only when all senders are configured

+all (pass) - Not recommended

  • Effectively disables SPF
  • Defeats the purpose

Example SPF Records

Small Organization


v=spf1 include:_spf.google.com include:sendgrid.net ~all
  • Google Workspace for corporate email
  • SendGrid for transactional emails
  • 2 DNS lookups (under limit)

Medium Organization


v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:salesforce.com ip4:203.0.113.5 ~all
  • Google Workspace
  • SendGrid (transactional)
  • Mailchimp (marketing)
  • Salesforce (CRM)
  • Internal server at 203.0.113.5
  • 5 DNS lookups (safe)

Complex Organization


v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:salesforce.com include:zendesk.com include:slack.com ip4:203.0.113.0/24 ip4:198.51.100.5 ~all
  • Multiple cloud services
  • Internal subnet
  • Backup server
  • Likely ~8-9 DNS lookups (at limit, consider optimizing)

Optimization Strategies

Reducing DNS Lookups

If your SPF exceeds 10 lookups:

Option 1: Remove unused services

  • Do you still use that old email service?
  • Remove from SPF

Option 2: Use SPF Flattener

  • Expands includes to direct IPs
  • Reduces lookups
  • Trade-off: Manual updates needed when IPs change

Option 3: Use Hosted DNS

  • SpoofWard manages DNS for you
  • Handles SPF optimization
  • No more lookup limit concerns

Option 4: Delegate subdomain

  • Create SPF for subdomains separately
  • Marketing domain gets include:mailchimp.com
  • Newsletter domain gets separate record
  • Each stays under 10 lookups

SPF Flattener Tool

For overly complex SPF:

  1. Tools → SPF Flattener
  2. Paste your SPF record
  3. Tool expands all includes
  4. Shows all resolved IP ranges
  5. Generates flattened record

Example:

Before (includes):


v=spf1 include:sendgrid.net include:mailchimp.com ~all

After (flattened):


v=spf1 ip4:167.89.0.0/16 ip4:205.244.0.0/16 ip4:204.93.0.0/16 ~all
Warning

Flattened SPF breaks if vendor IPs change. Use only if necessary for DNS lookup limits. Prefer includes when possible.

Common Mistakes

Mistake 1: Wrong Domain

SPF record must be at the ROOT of your domain:


❌ Bad: spf.example.com
✓ Correct: example.com (at root)

Some DNS providers show this as "@" or blank hostname.

Mistake 2: Too Many Lookups


❌ Bad: 12 DNS lookups (exceeds 10 limit)
✓ Correct: 8 DNS lookups (under limit)

Use the tool to monitor and optimize.

Mistake 3: Hard Fail Too Soon


❌ Bad: -all before all senders configured
✓ Correct: Start with ~all, upgrade to -all later

Use soft fail (~all) until you're certain of all senders.

Mistake 4: Wrong Includes


❌ Bad: include:sendgrid.com (wrong domain)
✓ Correct: include:sendgrid.net

Verify service's official include in their documentation.

Mistake 5: Replacing Entire Record


❌ Bad: Copy/paste new record, lose existing senders
✓ Correct: Add new senders to existing record

Always UPDATE, not replace.

Testing Your SPF Record

Using SpoofWard

  1. Tools → SPF Checker
  2. Enter your domain
  3. Tool looks up your SPF record
  4. Shows parsed result
  5. Lists any errors
  6. Explains each component

Manual Testing

Send test email from your domain:

  1. Send email to an external address (Gmail, etc.)
  2. Check email headers for SPF result
  3. Look for: "SPF: pass" (good) or "SPF: fail" (problem)

DNS Lookup Tools

Online SPF checkers:

  • MXToolbox (mxtoolbox.com)
  • Google Admin (workspace.google.com)
  • dmarcian.com

After Publishing

Verify Deployment

  1. Wait 24-48 hours for DNS propagation
  2. Use SPF Checker tool to verify
  3. Send test email to confirm SPF passes
  4. Check email headers for "SPF: pass"

Monitor Reports

In SpoofWard:

  1. Go to DMARC → Reports
  2. Look for SPF pass rate increasing
  3. Should see improvement within 48 hours
  4. Monitor for the next week

Ongoing Maintenance

Monthly:

  • Review email sources for new senders
  • Add new services to SPF
  • Remove old/unused services

Quarterly:

  • Check DNS lookup count
  • Optimize if approaching 10
  • Review for consolidation opportunities

FAQ

Can I have SPF on subdomains?

Yes, each subdomain can have its own SPF record at _spf.subdomain.example.com or similar.

What if I exceed 10 DNS lookups?

SPF fails completely. Must optimize. Use SPF Flattener or reduce includes.

Do I need to update SPF if a service changes IPs?

Not if using includes. Service updates their SPF, yours stays the same.

Can I have multiple SPF records?

No, one SPF TXT record per domain. But can have multiple TXT records if concatenated properly.

Should I use hard fail (-all) or soft fail (~all)?

Start with soft fail (~all). Switch to hard fail (-all) after confirming no missed senders.

Related Documentation

Your domain is being tested right now.
Are you watching?

Protect your brand and improve deliverability — automatically, with continuous monitoring and alerts.

Start Free — No Credit Card View Pricing →