Skip to content
๐Ÿ”Security ScannerPopularยท๐Ÿ“ŠTraffic AnalyzerNewยท๐ŸŒDNS LookupPopularยท๐Ÿ”‘Password GeneratorPopularยท๐Ÿ“‹JSON FormatterTrendingยท๐Ÿ”SSL CheckerPopularยท๐Ÿ›ก๏ธPhishing CheckerNewยท๐Ÿ’ฑCurrency ConverterTrendingยท๐Ÿ“งDMARC CheckerPopularยท๐Ÿ–ผ๏ธImage CompressorTrendingยท๐Ÿ“ฑQR Code GeneratorPopularยท๐Ÿ”—Domain ScannerNewยท
ToolZilla

Validate Your Email Sending PolicySPF Record Checker

Look up and parse any domain's SPF record โ€” analyze mechanisms, qualifiers, DNS lookup count, and get warnings about common issues.

โ“

Frequently Asked Questions

What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It's published as a TXT record in DNS starting with 'v=spf1' and helps prevent email spoofing.

What does the 'all' mechanism mean in SPF?

The 'all' mechanism is a catch-all at the end of an SPF record. '-all' (hard fail) means reject unauthorized senders, '~all' (soft fail) means mark as suspicious, '?all' (neutral) takes no action, and '+all' (pass) allows everyone โ€” which defeats the purpose of SPF.

Why is there a 10 DNS lookup limit?

RFC 7208 limits SPF evaluation to 10 DNS lookups (include, a, mx, ptr, exists, redirect) to prevent denial-of-service attacks and excessive DNS queries. Exceeding this limit causes SPF to return a 'permerror', which may cause email delivery failures.

What's the difference between -all and ~all?

'-all' (hard fail) instructs receivers to reject messages from unauthorized senders. '~all' (soft fail) marks them as suspicious but still delivers them. Hard fail provides stronger protection, but soft fail is safer during initial deployment.

Can I have multiple SPF records?

No. A domain must have at most one SPF record. Having multiple TXT records starting with 'v=spf1' causes a 'permerror' and SPF will fail. If you need to authorize multiple services, use the 'include' mechanism within a single record.

Complete Guide: How to Use the SPF Record Checker

Validate your domain's SPF (Sender Policy Framework) record to ensure legitimate email senders are authorized and spoofers are blocked. Our checker parses every SPF mechanism, counts DNS lookups (max 10 allowed), detects syntax errors, and verifies that all included domains resolve correctly.

Step-by-Step Instructions

  1. 1

    Enter your domain

    Type the domain to check (e.g., example.com). The tool retrieves the SPF TXT record starting with 'v=spf1'.

  2. 2

    View parsed mechanisms

    See each mechanism broken down: ip4/ip6 ranges, include references, a/mx lookups, and the all mechanism (qualifier: +, -, ~, ?).

  3. 3

    Check DNS lookup count

    SPF has a 10-lookup limit. The tool counts all 'include', 'a', 'mx', 'redirect', and 'exists' mechanisms against this limit.

  4. 4

    Review errors and warnings

    See syntax errors, missing mechanisms, excessive lookups, and deprecated features. Each issue includes a fix recommendation.

Common Use Cases

  • โœ“Email deliverability โ€” ensure SPF doesn't block legitimate outbound email from your servers
  • โœ“Anti-spoofing โ€” verify that SPF blocks unauthorized senders from using your domain
  • โœ“Migration โ€” update SPF records when adding new email services (Google Workspace, SendGrid, etc.)
  • โœ“Troubleshooting โ€” diagnose SPF-related email rejection or spam folder placement
  • โœ“Compliance โ€” verify SPF meets organizational email authentication requirements
  • โœ“Optimization โ€” reduce DNS lookups to stay under the 10-lookup limit

Pro Tips

๐Ÿ’กThe 10-DNS-lookup limit includes nested lookups inside 'include' targets. One 'include' can consume multiple lookups if it includes other domains.
๐Ÿ’กUse 'ip4' and 'ip6' mechanisms instead of 'a' or 'mx' to save DNS lookups when you know the specific IPs.
๐Ÿ’กEnd your SPF record with '-all' (hard fail) for maximum protection, or '~all' (soft fail) during initial rollout.
๐Ÿ’กNever have more than one SPF record per domain โ€” multiple records cause validation failures.

Related Tools

๐ŸŒ

DNS Lookup Tool

Check DNS records for any domain. Lookup A, AAAA, MX, CNAME, TXT and NS records online.

๐Ÿ›ก๏ธ

DMARC Record Checker

Validate your domain's DMARC policy. Check alignment, policy mode, reporting URIs and configuration issues.

๐Ÿ”‘

DKIM Record Checker

Look up and validate DKIM public key records. Verify selector, key length, algorithm and flags.

โœ‰๏ธ

BIMI Record Checker

Check BIMI (Brand Indicators for Message Identification) DNS records. Verify your brand logo in email clients.