SPF Record Checker
Look up and validate your domain's SPF record in seconds. This tool parses every mechanism, counts DNS lookups against the RFC 7208 limit of 10, and flags common misconfigurations.
How SPF Works
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources, reducing spoofing and phishing.
SPF Mechanisms
An SPF record is a space-separated list of mechanisms that describe authorized senders. Each mechanism is evaluated left to right; the first match determines the result.
| Mechanism | Description | DNS Lookup |
|---|---|---|
all | Matches every sender. Typically the last mechanism as a catch-all default. | No |
ip4 | Matches a specific IPv4 address or CIDR range (e.g. ip4:192.0.2.0/24). | No |
ip6 | Matches a specific IPv6 address or prefix (e.g. ip6:2001:db8::/32). | No |
a | Matches if the sender IP is in the A/AAAA records of the specified domain. | Yes |
mx | Matches if the sender IP is one of the MX hosts for the specified domain. | Yes |
include | Recursively evaluates the SPF record of another domain (e.g. include:_spf.google.com). | Yes |
redirect | Replaces the current SPF evaluation with the record of another domain. Used as a modifier, not a mechanism. | Yes |
exists | Matches if an A record lookup for the given domain returns any result. Used for advanced macro-based policies. | Yes |
SPF Qualifiers
Each mechanism can be prefixed with a qualifier that determines the result when the mechanism matches.
| Qualifier | Result | Meaning |
|---|---|---|
+ | Pass | The sender is authorized. This is the default if no qualifier is specified. |
- | Fail | The sender is explicitly not authorized. Mail should be rejected. |
~ | SoftFail | The sender is probably not authorized. Mail is accepted but marked. |
? | Neutral | No assertion is made about the sender. Treated the same as no SPF. |
Common SPF Issues
- Exceeding the 10 DNS lookup limit
-
RFC 7208 limits SPF evaluation to 10 DNS-querying mechanisms (
include,a,mx,redirect,exists). Exceeding this causes a permerror, and many receivers treat the record as invalid. Use SPF flattening or consolidate includes to stay under the limit. - Using
+all -
A record ending with
+allauthorizes every server on the internet to send mail for your domain, completely defeating the purpose of SPF. Always use-all(hard fail) or at minimum~all(soft fail). - Too many includes
-
Each
includecosts one DNS lookup, and the included record may itself contain further lookups. Chains of includes from multiple SaaS providers can quickly exhaust the 10-lookup budget. - Void lookups
- RFC 7208 also limits void lookups (queries that return NXDOMAIN or empty answers) to 2. Exceeding this triggers a permerror. Audit your mechanisms to ensure referenced domains actually exist.