SPF Record Checker
Enter a domain to validate its SPF record, count DNS lookups, and identify authorized senders.
Enter the domain from your email's From address (e.g., yourcompany.com)
Checking SPF record...
Resolving DNS records
Your SPF analysis is ready
Enter your email to see the full breakdown. We'll send you a copy, that's it, no marketing emails.
Lookups performed via public DNS. No spam, no mailing list, just your analysis.
Your SPF record looks good.
SPF Record
DNS Lookups
SPF allows a maximum of 10 DNS lookups. Exceeding this causes a permanent fail (permerror).
Mechanisms
| Type | Value | Meaning |
|---|
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to specify which mail servers and IP addresses are authorized to send email on behalf of their domain. SPF records are published as DNS TXT records and are checked by receiving mail servers during the email delivery process.
Without an SPF record, any server on the internet can send email claiming to be from your domain. This makes your domain vulnerable to spoofing and phishing attacks, where bad actors impersonate your brand to trick recipients. An SPF record acts as a whitelist, telling the world exactly which servers are allowed to send as you.
SPF works alongside DKIM and DMARC to form a complete email authentication framework. While SPF verifies the sending server, DKIM verifies the message content, and DMARC ties them together with a policy that tells receivers what to do when checks fail.
How SPF Works
When an email is sent from your domain, the receiving mail server performs an SPF check before delivering the message. Here is how that process works, step by step:
1. Sender sends email from your domain
Your mail server (or a third-party service like Google Workspace, SendGrid, or Mailchimp) connects to the recipient's mail server and identifies itself using your domain in the MAIL FROM (Return-Path) address.
2. Receiving server looks up your SPF record
The recipient's server queries DNS for a TXT record on your domain. It looks for a record starting with v=spf1, which identifies it as an SPF record.
3. Server checks the sending IP against authorized sources
The receiving server compares the connecting IP address against the list of authorized IPs, ranges, and included domains defined in your SPF record. It evaluates each mechanism in order from left to right.
4. A result is returned
Based on the check, the server returns one of several results: pass (IP is authorized), fail (IP is explicitly not authorized), softfail (IP is probably not authorized but don't reject outright), or neutral (the domain makes no assertion about the IP). A permerror is returned if the SPF record is invalid, such as exceeding the lookup limit.
The 10 DNS Lookup Limit
RFC 7208 imposes a hard limit of 10 DNS lookups during SPF evaluation. This limit exists to prevent DNS amplification attacks, where a maliciously crafted SPF record could trigger an excessive number of DNS queries on every incoming email, potentially overloading DNS infrastructure.
Not every mechanism counts toward this limit. Mechanisms that require a DNS query include: include, a, mx, redirect, and exists. Mechanisms that do not require a lookup and therefore do not count include: ip4, ip6, and all. Note that each include may itself contain further lookups, and those nested lookups also count toward the total of 10.
When the lookup limit is exceeded, the SPF evaluation returns a permanent error (permerror), which most receiving servers treat as a failure. This means your legitimate email may be rejected or flagged as spam, even if the sending IP is actually authorized.
Tips to stay under the limit
Flatten your record: Replace include mechanisms with the actual IP addresses they resolve to, using ip4 and ip6 entries. This eliminates the DNS lookup for each flattened include. Be aware that IP addresses may change, so you need to keep flattened records updated.
Remove unused includes: Audit your SPF record regularly. If you no longer use a particular email service, remove its include entry to free up lookups.
Use ip4/ip6 for static IPs: If a sending service uses a fixed set of IP addresses, list them directly with ip4 or ip6 instead of using an include.
SPF Mechanisms Explained
An SPF record is made up of mechanisms that define which servers are authorized to send email for your domain. Each mechanism can be prefixed with a qualifier: + (pass, default), - (fail), ~ (softfail), or ? (neutral).
| Mechanism | Example | DNS Lookups | Description |
|---|---|---|---|
include | include:_spf.google.com | 1+ | Includes another domain's SPF record. The included record is fetched and evaluated, and any lookups within it also count toward the 10-lookup limit. |
a | a | 1 | Matches the domain's A record IP addresses. If the sending IP matches any of the domain's A records, the check passes. |
mx | mx | 1 | Matches the domain's MX record IP addresses. Authorizes the same servers that receive email for this domain to also send email. |
ip4 | ip4:192.168.1.0/24 | 0 | Matches a specific IPv4 address or CIDR range. Does not require a DNS lookup, making it the most efficient mechanism. |
ip6 | ip6:2001:db8::/32 | 0 | Matches a specific IPv6 address or CIDR range. Like ip4, does not require a DNS lookup. |
all | -all | 0 | Catch-all mechanism that matches everything. Usually placed last with a - (fail) or ~ (softfail) qualifier to reject or flag unauthorized senders. |
redirect | redirect=_spf.example.com | 1 | Redirects SPF evaluation to another domain's SPF record entirely. Used instead of include when the entire policy lives elsewhere. |
exists | exists:%{i}.spf.example.com | 1 | Advanced macro-based mechanism that checks if a specific DNS record exists. Used for complex per-IP authorization schemes. |
Common SPF Mistakes
1. Too many DNS lookups
The most frequent issue. Each include, a, mx, redirect, and exists mechanism costs at least one lookup, and includes can nest further lookups. Modern businesses using multiple email services (Google Workspace, a marketing platform, a CRM, a support desk) can easily exceed 10 lookups without realizing it. When exceeded, SPF returns permerror and all email may fail authentication.
2. Using +all
The +all mechanism tells receiving servers that every IP address in the world is authorized to send email as your domain. This completely defeats the purpose of SPF and offers zero protection against spoofing. Always use -all (hard fail) or ~all (softfail) at the end of your record.
3. Multiple SPF records
A domain is only allowed to have one SPF record (one TXT record starting with v=spf1). If you publish two or more SPF records, the result is a permerror and SPF evaluation fails entirely. When adding a new email service, update your existing SPF record instead of creating a new one.
4. Forgetting to add your ESP's include
When you start using a new email service provider (ESP) like Mailchimp, SendGrid, or HubSpot, you need to add their include to your SPF record. Without it, emails sent through that service will fail SPF checks, potentially landing in spam or being rejected.
5. SPF record too long
DNS TXT records have a 255-character per string limit. While most DNS providers handle splitting automatically, some older systems or misconfigured setups may truncate long records. If your SPF record exceeds 255 characters, ensure it is properly split into multiple quoted strings within a single TXT record.
Frequently Asked Questions
What happens if I don't have an SPF record?
Without an SPF record, receiving mail servers have no way to verify whether an email claiming to come from your domain was actually sent by an authorized server. This means anyone can send email as your domain without being flagged by SPF. While some providers may still deliver these emails, your domain is left vulnerable to spoofing and phishing. Additionally, not having SPF can negatively impact your deliverability since many providers factor authentication into spam filtering decisions.
Can I have more than one SPF record?
No. RFC 7208 explicitly states that a domain must not have more than one SPF record. If multiple TXT records beginning with v=spf1 are found, the result is a permanent error (permerror) and SPF evaluation fails. If you need to authorize multiple services, combine them into a single SPF record using multiple include mechanisms. For example: v=spf1 include:_spf.google.com include:sendgrid.net -all.
What's the difference between -all and ~all?
-all (hard fail) tells receiving servers to reject emails that don't match any authorized mechanism. ~all (softfail) indicates that unauthorized emails should be accepted but marked as suspicious. In practice, many mail providers treat softfail similarly to hard fail, especially when combined with a DMARC policy. Starting with ~all is safer during initial setup, then switching to -all once you've confirmed all legitimate senders are included.
Does SPF check the From header?
No. SPF checks the MAIL FROM address (also called the Return-Path or envelope sender), not the From header that users see in their email client. This is an important distinction because a message can pass SPF even if the visible From address is different from the MAIL FROM address. This is why DMARC is essential: it adds alignment checks that require the SPF-authenticated domain to match (or be a subdomain of) the visible From domain.
How long does it take for SPF changes to propagate?
DNS propagation time depends on the TTL (Time To Live) value of your existing DNS record. If your TTL is set to 3600 seconds (1 hour), most DNS resolvers will pick up changes within 1 hour. However, some resolvers may cache records longer. In general, you should expect full propagation within 24 to 48 hours. If you're making urgent changes, you can temporarily lower your TTL before making the update, then raise it back afterward.