SPF Record Checker

Validate SPF (Sender Policy Framework) records for any domain. This tool queries the domain's TXT records, identifies the SPF policy, parses each mechanism, and highlights potential issues that could affect email deliverability.

Enter Domain Name

What Is SPF (Sender Policy Framework)?

SPF is an email authentication standard defined in RFC 7208 that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. It works by publishing a TXT record in DNS that lists approved sending sources. When a receiving mail server gets a message, it checks the sender's IP against the domain's SPF record to determine if the message is legitimate.

SPF is one of three pillars of email authentication, alongside DKIM and DMARC. Together, they protect your domain from email spoofing and phishing attacks. If you're managing DNS for your domain, you should already be familiar with DNS record types and how MX records route email.

SPF Mechanism Reference

SPF records use a specific syntax to define authorization rules. Each mechanism can be prefixed with a qualifier to determine how matches are handled:

Mechanism	Syntax Example	Description
ip4	ip4:203.0.113.0/24	Match if sender IP is in the specified IPv4 range
ip6	ip6:2001:db8::/32	Match if sender IP is in the specified IPv6 range
a	a:mail.example.com	Match if sender IP matches the A record of the domain
mx	mx	Match if sender IP matches any MX server IP
include	include:_spf.google.com	Include another domain's SPF record
redirect	redirect=_spf.example.com	Replace this SPF with another domain's record
exists	exists:%{i}._spf.example.com	Match if a DNS A lookup succeeds
all	-all	Match all remaining senders (usually last mechanism)

SPF Qualifiers Explained

Each SPF mechanism can be preceded by a qualifier that determines the result when matched:

Qualifier	Symbol	Result	Receiver Action
Pass	+ (default)	Authorized	Accept the message
Fail	-	Not authorized	Reject the message
SoftFail	~	Probably not authorized	Accept but mark as suspicious
Neutral	?	No assertion	Treat as if no SPF exists

Pro Tip: Always use -all (hard fail) at the end of your SPF record once you've confirmed all legitimate sending sources are listed. Using ~all (soft fail) during initial setup is fine, but leaving it permanently gives spoofers a loophole. If you're troubleshooting delivery issues, check your DNS records and verify that all sending services are included.

Common SPF Record Examples

Here are SPF records for popular email configurations. Each example shows how to authorize different sending sources:

Google Workspace Only

v=spf1 include:_spf.google.com -all

Microsoft 365 Only

v=spf1 include:spf.protection.outlook.com -all

Multiple Services (Google + Mailchimp + Custom Server)

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.10 -all

Subdomain That Does Not Send Email

v=spf1 -all

Publishing v=spf1 -all on domains or subdomains that never send email is a best practice. It prevents attackers from spoofing those domains. This is especially important for parked domains and DDNS subdomains.

Note: SPF has a 10 DNS lookup limit (RFC 7208, Section 4.6.4). Each include, a, mx, redirect, and exists mechanism counts as one lookup. Exceeding this limit causes SPF to return a PermError, which means your email authentication fails entirely. Use ip4 and ip6 mechanisms (which don't count as lookups) to stay under the limit. You can use our DNS Lookup tool to trace each include chain.

SPF and Email Deliverability

A properly configured SPF record directly impacts whether your emails reach the inbox or land in spam. Major email providers like Gmail, Outlook, and Yahoo all check SPF during message delivery. Here's how SPF results affect deliverability:

Pass — Message is likely legitimate; combined with DKIM and DMARC, this maximizes inbox placement.
SoftFail — Message is suspicious; may be placed in spam depending on other signals.
Fail — Message is unauthorized; most providers reject or quarantine it.
PermError — SPF record is broken (too many lookups, syntax error); treated as if no SPF exists.

If you notice email delivery problems, start by checking your SPF record with this tool, then verify your DKIM signatures and DMARC policy. Also ensure your sending server's IP address isn't blacklisted and that your DNS resolution is working correctly.

Troubleshooting SPF Failures

Common SPF issues and their solutions:

PermError: Too many DNS lookups — Flatten includes by replacing them with explicit ip4 and ip6 entries. Each include counts toward the 10-lookup limit.
Multiple SPF records — A domain must have only one SPF (v=spf1) TXT record. Multiple records cause PermError.
Missing sending source — If emails from a third-party service fail SPF, add their include directive. Check the service's documentation.
Using ptr mechanism — The ptr mechanism is deprecated and slow. Replace it with a or ip4.
Record too long — DNS TXT records have a 255-character string limit. For longer SPF records, split into multiple strings within one TXT record.

When troubleshooting DNS-related email issues, it helps to understand how DNS resolution works and how ISP DNS compares to custom DNS resolvers. Cached DNS records can cause intermittent SPF failures if you recently changed your record.

Key Takeaways

SPF records specify which servers can send email for your domain, preventing spoofing.
Always end SPF records with -all once your setup is verified.
Stay under the 10 DNS lookup limit by using ip4/ip6 instead of excessive include directives.
Each domain must have exactly one SPF TXT record — multiple records cause errors.
Combine SPF with DKIM and DMARC for complete email authentication.
Publish v=spf1 -all on domains and subdomains that don't send email.

Video: SPF Records Explained

Related Tools and Guides

Frequently Asked Questions

What happens if my domain has no SPF record?

Without an SPF record, receiving servers have no way to verify if incoming email from your domain is legitimate. This makes your domain vulnerable to spoofing and reduces deliverability, as many servers treat missing SPF as suspicious.

Can I have multiple SPF records on one domain?

No. RFC 7208 requires exactly one SPF record per domain. If multiple v=spf1 records exist, mail servers return a PermError and SPF authentication fails entirely. Merge all mechanisms into a single record.

What is the 10 DNS lookup limit?

SPF processing is limited to 10 DNS lookups to prevent denial-of-service attacks. Each include, a, mx, redirect, and exists mechanism triggers a DNS lookup. The ip4, ip6, and all mechanisms do not count. Exceeding the limit results in a PermError.

Should I use ~all or -all?

Use ~all (SoftFail) during initial setup while you verify all legitimate senders are included. Once confirmed, switch to -all (Fail) for maximum protection. SoftFail is less strict and allows unauthorized messages to be delivered (usually to spam).

Does SPF work with email forwarding?

SPF can break when emails are forwarded because the forwarding server's IP may not be in the original domain's SPF record. This is one reason DKIM is important — it survives forwarding since it validates the message body, not the sending IP. DMARC alignment helps handle this scenario.

How do I check if my SPF record is working?

Use this SPF Record Checker to verify the record exists and has valid syntax. Then send a test email to a Gmail address and check the message headers for "spf=pass". You can also view headers in most email clients under "Show Original" or "View Source".

What is SPF flattening?

SPF flattening replaces include mechanisms with the resolved ip4 and ip6 addresses. This reduces DNS lookups but requires regular updates since the included domains' IP addresses may change. Automated SPF flattening services can handle this maintenance.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.