SPF Record Checker

Validate your domain's SPF record. Check authorized mail servers, DNS lookup count, and mechanism analysis.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets a message claiming to be from your domain, it queries your SPF record to verify the sender is permitted.

SPF Mechanism Types

SPF records use several mechanism types to define authorized senders:

include:Authorizes another domain's SPF record (e.g., include:_spf.google.com). Each include counts as a DNS lookup.
a and mx:Authorizes the IP addresses returned by your domain's A or MX records. Both count as DNS lookups.
ip4 / ip6: Directly authorizes a specific IP address or CIDR range (e.g., ip4:203.0.113.0/24). Does not count toward the DNS lookup limit.
-all (hard fail): Reject email from any server not explicitly listed. This is the recommended setting for production domains.
~all (soft fail): Accept email from unlisted servers but mark it as suspicious. Common during initial SPF deployment.

The 10 DNS Lookup Limit

RFC 7208 limits SPF evaluation to 10 DNS lookups. Mechanisms like include, a, mx, and redirect each consume one lookup. Exceeding this limit causes a PermError, which can lead to email rejections. Organizations with many third-party senders often need to flatten or consolidate their SPF records to stay within this limit.

Why SPF Matters for Deliverability

A correctly configured SPF record is one of the three pillars of email authentication, alongside DKIM and DMARC. Without SPF, inbox providers like Gmail, Outlook, and Yahoo have no way to verify your sending servers, which means your legitimate emails are more likely to land in spam or be rejected entirely. Since 2024, Google and Yahoo require SPF (or DKIM) alignment for all senders, making it essential for email deliverability.

What does this tool check?

SPF record presence -- Verifies that a valid SPF TXT record exists on the domain.
Multiple record detection -- Flags if more than one SPF record is published, which causes authentication failures per RFC 7208.
Mechanism analysis -- Parses every mechanism (include, a, mx, ip4, ip6, ptr, exists) and qualifiers (+, -, ~, ?) in the record.
DNS lookup counting -- Counts the total number of DNS lookups required to evaluate the SPF record and warns if you are at or above the 10-lookup limit.
All-mechanism type -- Checks whether your record ends with -all (hard fail), ~all (soft fail), or ?all (neutral) and recommends the appropriate policy for your situation.

Frequently Asked Questions

What is an SPF record?: An SPF (Sender Policy Framework) record is a DNS TXT record published on your domain that specifies which mail servers are authorized to send email on your behalf. When a receiving mail server gets a message claiming to be from your domain, it checks the SPF record to verify the sending server is permitted. SPF records use mechanisms like ip4, ip6, include, a, and mx to define authorized senders, and end with an all-mechanism (-all, ~all, or ?all) that tells receivers what to do with unauthorized senders.
What does the 10 DNS lookup limit mean?: The SPF specification (RFC 7208) limits SPF evaluation to 10 DNS lookups. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism counts as one lookup. If your SPF record exceeds 10 lookups, receiving mail servers will return a PermError and your emails may be rejected or marked as spam. The ip4, ip6, and all mechanisms do not count toward this limit because they do not require DNS queries. To stay within the limit, flatten nested includes, remove unused senders, or use SPF macro syntax.
What is the difference between -all and ~all?: The all-mechanism at the end of an SPF record defines the default policy for senders not explicitly listed. "-all" (hard fail) tells receivers to reject email from unauthorized servers outright. "~all" (soft fail) tells receivers to accept the email but mark it as suspicious, which typically means it gets flagged or sent to spam. "?all" (neutral) provides no recommendation either way. For maximum security and deliverability, "-all" is recommended once you have confirmed all your legitimate senders are listed in the SPF record.
How do I add a sender to my SPF record?: To authorize a new email sender, add the appropriate mechanism to your existing SPF record in your domain's DNS. For a third-party service like Google Workspace, add "include:_spf.google.com". For a specific mail server IP, add "ip4:203.0.113.5". For another domain's mail servers, use "include:otherdomain.com". Always place new mechanisms before the all-mechanism at the end. After updating, wait for DNS propagation (usually a few minutes to 48 hours depending on your TTL) and use this tool to verify the change.
Why is my SPF record failing?: Common causes of SPF failures include: (1) the sending server's IP address is not listed in your SPF record; (2) your SPF record exceeds the 10 DNS lookup limit; (3) there are multiple SPF records on your domain (only one is allowed); (4) syntax errors in the record such as missing spaces or invalid mechanisms; (5) a third-party service is sending email on your behalf but its include is missing from your record; (6) DNS propagation has not completed after a recent change. Use this checker to identify the specific issue and follow the recommendations to fix it.

What is SPF?

SPF Mechanism Types

SPF records use several mechanism types to define authorized senders:

include:Authorizes another domain's SPF record (e.g., include:_spf.google.com). Each include counts as a DNS lookup.

a and mx:Authorizes the IP addresses returned by your domain's A or MX records. Both count as DNS lookups.

ip4 / ip6: Directly authorizes a specific IP address or CIDR range (e.g., ip4:203.0.113.0/24). Does not count toward the DNS lookup limit.

-all (hard fail): Reject email from any server not explicitly listed. This is the recommended setting for production domains.

~all (soft fail): Accept email from unlisted servers but mark it as suspicious. Common during initial SPF deployment.

The 10 DNS Lookup Limit

Why SPF Matters for Deliverability

What does this tool check?

SPF record presence -- Verifies that a valid SPF TXT record exists on the domain.

Multiple record detection -- Flags if more than one SPF record is published, which causes authentication failures per RFC 7208.

Mechanism analysis -- Parses every mechanism (include, a, mx, ip4, ip6, ptr, exists) and qualifiers (+, -, ~, ?) in the record.

DNS lookup counting -- Counts the total number of DNS lookups required to evaluate the SPF record and warns if you are at or above the 10-lookup limit.

All-mechanism type -- Checks whether your record ends with -all (hard fail), ~all (soft fail), or ?all (neutral) and recommends the appropriate policy for your situation.

Frequently Asked Questions

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record published on your domain that specifies which mail servers are authorized to send email on your behalf. When a receiving mail server gets a message claiming to be from your domain, it checks the SPF record to verify the sending server is permitted. SPF records use mechanisms like ip4, ip6, include, a, and mx to define authorized senders, and end with an all-mechanism (-all, ~all, or ?all) that tells receivers what to do with unauthorized senders.

What does the 10 DNS lookup limit mean?

The SPF specification (RFC 7208) limits SPF evaluation to 10 DNS lookups. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism counts as one lookup. If your SPF record exceeds 10 lookups, receiving mail servers will return a PermError and your emails may be rejected or marked as spam. The ip4, ip6, and all mechanisms do not count toward this limit because they do not require DNS queries. To stay within the limit, flatten nested includes, remove unused senders, or use SPF macro syntax.

What is the difference between -all and ~all?

The all-mechanism at the end of an SPF record defines the default policy for senders not explicitly listed. "-all" (hard fail) tells receivers to reject email from unauthorized servers outright. "~all" (soft fail) tells receivers to accept the email but mark it as suspicious, which typically means it gets flagged or sent to spam. "?all" (neutral) provides no recommendation either way. For maximum security and deliverability, "-all" is recommended once you have confirmed all your legitimate senders are listed in the SPF record.

How do I add a sender to my SPF record?

To authorize a new email sender, add the appropriate mechanism to your existing SPF record in your domain's DNS. For a third-party service like Google Workspace, add "include:_spf.google.com". For a specific mail server IP, add "ip4:203.0.113.5". For another domain's mail servers, use "include:otherdomain.com". Always place new mechanisms before the all-mechanism at the end. After updating, wait for DNS propagation (usually a few minutes to 48 hours depending on your TTL) and use this tool to verify the change.

Why is my SPF record failing?

Common causes of SPF failures include: (1) the sending server's IP address is not listed in your SPF record; (2) your SPF record exceeds the 10 DNS lookup limit; (3) there are multiple SPF records on your domain (only one is allowed); (4) syntax errors in the record such as missing spaces or invalid mechanisms; (5) a third-party service is sending email on your behalf but its include is missing from your record; (6) DNS propagation has not completed after a recent change. Use this checker to identify the specific issue and follow the recommendations to fix it.