What does the 'all' mechanism do?

It is the catch-all that matches any sender not matched by an earlier mechanism. The qualifier sets the policy: -all rejects them (Fail), ~all accepts but marks them (SoftFail), ?all is Neutral, and +all authorises everyone — which disables SPF and should never be used.

Why does SPF have a 10-lookup limit?

Each a, mx, include, exists, and ptr mechanism triggers a DNS lookup during evaluation. The SPF spec caps these at 10 to prevent denial-of-service amplification. Exceeding 10 produces a PermError and your SPF effectively fails, so the builder counts them for you.

Can I have more than one SPF record?

No. A domain must publish exactly one SPF TXT record. Two SPF records cause a PermError. If you use multiple providers, combine them into a single record with several include mechanisms.

What is the 255-byte limit about?

A single character string inside a TXT record cannot exceed 255 bytes. Longer records must be split into multiple quoted strings within the same TXT entry, which DNS concatenates. The builder warns as you approach the limit so you can plan for it.

Where do I publish the SPF record?

As a TXT record at the domain itself (the apex host, for example example.com), not at a subdomain like _spf. The value is the full string starting with v=spf1. Subdomains that send mail need their own SPF records.

SPF Record Builder & Syntax Checker

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are allowed to send email for your domain. This builder turns a list of senders into a correctly formatted SPF TXT record and checks the rules that most commonly break SPF in practice.

How it works

An SPF record is a single string of space-separated terms that always begins with the version tag v=spf1 and ends with an all mechanism. Each mechanism between them describes a way a sender can be authorised:

ip4: / ip6: — authorise specific addresses or CIDR ranges directly. These cost no DNS lookups and are the most efficient way to list known senders.
a and mx — authorise the domain’s own A or MX hosts. Each costs one lookup.
include: — pull in another domain’s SPF record, used for email providers like Google Workspace or SendGrid. Each include costs one lookup, plus any lookups inside the included record.

The builder validates every IP and include, then assembles the record and runs two critical checks: the 10-DNS-lookup limit (exceeding it causes a PermError and SPF fails) and the 255-byte single-string limit for TXT records.

The all policy

The final all mechanism decides what happens to everyone not explicitly authorised:

v=spf1 include:_spf.google.com ip4:198.51.100.10 ~all

-all (Fail) — the strict, recommended end state once you have confirmed all legitimate senders are listed.
~all (SoftFail) — accept but flag. The safe choice while rolling out, so you do not bounce real mail you forgot to authorise.
?all (Neutral) — makes no assertion and offers little protection.
+all (Pass) — authorises the entire internet. This disables SPF entirely and must never be published.

Tips

Start with ~all, monitor your DMARC aggregate reports for a week or two, then tighten to -all.
Prefer ip4:/ip6: over a/mx where you know the addresses — they do not consume your lookup budget.
If you are nearing 10 lookups, “flatten” provider includes into static IP ranges, or drop unused includes. Validation here is entirely offline; confirm the live record afterwards with a DNS query against your published TXT.