Why is the 10-lookup limit a big deal?

RFC 7208 caps SPF evaluation at 10 DNS lookups per check (each include:, a, mx, ptr, exists costs one). If you exceed it the verifier returns permerror, which most strict DMARC policies treat as a fail.

Is `-all` or `~all` safer?

`-all` (hardfail) is the goal once you're sure every sender is listed — DMARC `p=reject` only kicks in for hard fails. `~all` (softfail) is the safer bootstrapping setting; mail still arrives but quarantined.

SPF Record Builder

Network

Builds the `v=spf1` TXT record that tells receiving mail servers which hosts are allowed to send mail from your domain. Drop in your sending IPs, third-party providers (Google Workspace, Microsoft 365, Mailgun, etc.), and pick a closing all-qualifier. The tool keeps a running DNS-lookup count — SPF has a hard limit of 10 lookups per evaluation, and exceeding it produces a permerror that breaks delivery. Warnings light up for the common footguns: `+all`, `?all` neutral, records that overflow a 255-byte TXT chunk.

—

Presets

Built-in mechanismsmx (allow your MX hosts)a (allow your A/AAAA hosts)

ip4: hosts (comma or newline separated)ip6: hosts (comma or newline separated)include: (third-party SPF domains)All qualifier

TXT record

v=spf1 mx ~all

DNS lookups: 1 / 10 · 14 B

Warnings

`~all` softfail is the safe bootstrap value. Tighten to `-all` once DMARC reports look clean.

Publish as a TXT record on your apex domain. Only one SPF record per domain — multiples are a configuration error.

How to use

Start from the relaxed preset (`~all`) while you discover senders — soft-fail is forgiving for legitimate-but-unlisted mail.
Add every third-party provider via include: — never paste their IPs directly, they rotate.
Tighten to `-all` once your DMARC reports show no legitimate sources missing.

Frequently asked questions

Why is the 10-lookup limit a big deal?: RFC 7208 caps SPF evaluation at 10 DNS lookups per check (each include:, a, mx, ptr, exists costs one). If you exceed it the verifier returns permerror, which most strict DMARC policies treat as a fail.
Is `-all` or `~all` safer?: `-all` (hardfail) is the goal once you're sure every sender is listed — DMARC `p=reject` only kicks in for hard fails. `~all` (softfail) is the safer bootstrapping setting; mail still arrives but quarantined.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00