SPF Checker
Check the SPF record for any domain — see authorized senders, qualifier strength, and DNS-lookup count.
About the spf record checker
SPF (Sender Policy Framework, RFC 7208) is the DNS record that lists which IP addresses and hostnames are authorized to send mail for your domain. Receiving servers query it during the SMTP transaction to decide whether the connecting server has any business sending mail on your behalf. SPF is one of the two ingredients DMARC checks against — without a working SPF record, mail through any third-party sender is at risk of being marked as spoofed.
This checker fetches the TXT record at the apex of your domain, recursively expands every `include:` and `redirect=` pointer, and counts how many DNS lookups would be required at evaluation time. The hard ceiling per RFC 7208 §4.6.4 is 10 lookups — exceed it and the receiver returns `permerror`, which DMARC treats as a failure.
It's the fastest way to find out why a sending tool you just added has broken your existing setup, or to diagnose why mail through a particular provider is suddenly being marked as spoofed.
How it works
- Resolves the TXT record at the domain apex and identifies the SPF record (the one starting with `v=spf1`).
- Recursively expands `include:`, `redirect=`, `a`, `mx`, `exists:`, and `ptr` mechanisms, counting each lookup.
- Surfaces the lookup count and warns when it's above 8 (close to the limit).
- Detects the four most common SPF mistakes: more than one SPF record on a domain, missing `all` mechanism, `+all` (which authorizes the world), and unresolvable includes.
- Returns the fully-expanded list of authorized IPs and hostnames, so you can verify the actual senders.
Frequently asked questions
What is an SPF record?
An SPF record is a TXT DNS record on your domain that lists the IP addresses and hostnames allowed to send email for that domain. Format: `v=spf1 include:_spf.google.com include:sendgrid.net -all`. Receiving mail servers compare the connecting IP against this list to decide whether to accept the mail.
What's the SPF 10 lookup limit?
RFC 7208 §4.6.4 limits an SPF evaluation to 10 DNS lookups, total. Each `include:`, `redirect=`, `a`, `mx`, `exists:`, and `ptr` mechanism counts. When the limit is exceeded, the receiver returns `permerror` and DMARC treats the message as failing SPF — the most common cause of mysterious deliverability problems for senders who use multiple email tools.
What does -all, ~all, and +all mean?
`-all` (hard fail): receivers should reject anything not matched. `~all` (soft fail): receivers should accept but mark suspect. `+all` (pass everything): authorizes the entire internet to send for your domain — almost always a misconfiguration. `?all` (neutral): no policy. Standard recommendation is `-all` once you're confident in your record.
Can I have two SPF records?
No. RFC 7208 §3 explicitly forbids multiple SPF records on the same domain — receivers MUST return `permerror`. If you need to authorize senders for multiple services, combine them into one record with multiple `include:` mechanisms.
How do I fix SPF flattening?
SPF flattening replaces `include:` mechanisms with the resolved IP ranges so the lookup count stays under 10. It works, but it's brittle — when the included service rotates IPs, your SPF goes stale and mail starts failing. Better solutions: (1) consolidate to fewer ESPs, (2) use a managed SPF service like Valimail or EasyDMARC that flattens dynamically, (3) move some sending to a subdomain with its own SPF record.