An SPF record for cold email lists every service allowed to send from your domain. A correct SPF record is v=spf1 include:<provider-1> include:<provider-2> ~all. For most cold email setups, one record covering your sending infrastructure (e.g. v=spf1 include:_spf.google.com include:_spf.winnr.app ~all) is all you need. Use the generator below; start with ~all and tighten to -all once verified.
SPF Generator
@):v=spf1 ~all
All generation happens in your browser. Nothing is sent to Winnr's servers.
SPF Checker
Lookup via Google Public DNS. Your browser queries directly — nothing is logged by Winnr.
What Is an SPF Record?
SPF (Sender Policy Framework, defined in RFC 7208) is a DNS TXT record at your domain's root that lists the mail servers authorized to send email on your behalf. When a receiving mail server gets a message from you@yourdomain.com, it looks up the SPF record for yourdomain.com and checks whether the sending server's IP is listed. If it isn't, receivers know the mail is likely spoofed.
SPF is one of three DNS records every cold email domain needs. The trio is SPF + DKIM + DMARC. None of the three is optional in 2026 — Google and Yahoo's February 2024 bulk-sender rules require all three for any domain sending more than 5,000 messages a day to their users, and cold email senders are firmly in that bucket.
Common Mistakes
- Publishing two SPF records. A domain must have exactly one SPF record. Multiple records invalidate SPF entirely. Merge everything into a single
v=spf1 ...TXT. - Exceeding the 10-lookup limit. Each
include:,a:,mx:, orexists:counts — and includes can recurse. The generator above warns you at 8 lookups and errors at 11+. If you hit the cap, drop inactive providers or flatten includes to rawip4:ranges. - Forgetting the cold email sender. If you provision mailboxes through Winnr but forget to add
include:_spf.winnr.app, every cold email will fail SPF alignment and land in spam. - Using
+all. Never use+all— it means "accept mail from any server claiming to be you", which is the opposite of what SPF is for. - Not testing after DNS propagation. Use the checker above 5-15 minutes after publishing to confirm the record is live and parseable.
How to Publish Your SPF Record
- Copy the generated record from the box above.
- Log in to your DNS host (Cloudflare, Namecheap, Porkbun, Route 53, Google Domains, etc.).
- Create a new TXT record with host/name
@(or leave blank for the root, depending on the provider). - Paste the generated value. Leave TTL at 3600 or the default.
- Save. Wait 1-15 minutes for propagation, then verify with the checker above.
Provider Quick Reference
| Provider | Include mechanism | DNS lookups |
|---|---|---|
| Google Workspace | include:_spf.google.com | 4 |
| Microsoft 365 | include:spf.protection.outlook.com | 3 |
| Winnr | include:_spf.winnr.app | 2 |
| SendGrid | include:sendgrid.net | 2 |
| Mailgun | include:mailgun.org | 2 |
| Amazon SES | include:amazonses.com | 1 |
| Postmark | include:spf.mtasv.net | 1 |
| Mailchimp | include:servers.mcsv.net | 1 |
| Zoho Mail | include:zoho.com | 1 |
| HubSpot | include:_spf.hubspotemail.net | 1 |
Next up: Pair SPF with DKIM (cryptographic signature) and DMARC (enforcement policy). All three are required in 2026.
Frequently Asked Questions
What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are allowed to send email on behalf of your domain. Receiving mail servers check SPF to detect spoofed senders. An SPF record looks like v=spf1 include:_spf.google.com ~all.
Do I need SPF for cold email?
Yes. In 2026 Google and Yahoo reject or spam-folder any bulk email without valid SPF, DKIM, and DMARC alignment. Cold email without SPF lands in spam 90%+ of the time.
How do I add Google Workspace to my SPF record?
Add include:_spf.google.com. A full Google-only record is v=spf1 include:_spf.google.com ~all.
What's the difference between ~all and -all?
~all (softfail) says "non-listed senders probably aren't legit but don't reject." -all (hardfail) says "non-listed senders are spoofed — reject." Start with ~all; switch to -all once you're confident every legitimate sender is included.
Can I have more than one SPF record?
No. Multiple SPF records invalidate SPF entirely. Merge all providers into one record with multiple include: mechanisms.
What is the 10 DNS lookup limit?
RFC 7208 caps SPF at 10 DNS lookups per evaluation. Each include:, a:, mx:, or exists: counts. Exceed 10 and SPF returns PermError — treated as a fail. Flatten or drop providers if you hit the cap.
Does Winnr set up SPF automatically?
Yes. Every domain purchased through Winnr gets SPF, DKIM, and DMARC configured automatically. The Winnr include is include:_spf.winnr.app.
How do I check my SPF record?
Use the SPF Checker above — enter your domain and we look up the TXT record via Google Public DNS and parse each mechanism.
Related tools: DKIM Record Generator · DMARC Record Generator · Inbox Calculator. Related reading: Cold Email DNS Setup Checklist.