Free DNS tool

SPF Record Checker

Validate your SPF syntax, count DNS lookups against the RFC 7208 limit, and find the configuration issues that quietly hurt email delivery.

No login required. We query live DNS and never store your domain.

Try it instantly

Run an SPF check on a well known domain, or enter your own above.

SPF, explained

What is an SPF record?

SPF, short for Sender Policy Framework, is an email authentication standard that lets a domain owner declare which mail servers are allowed to send email on the domain's behalf. That declaration lives in a single DNS TXT record, beginning with v=spf1 and ending with an all mechanism. When a receiving server accepts a message, it looks up this record to decide whether the connecting server was authorized.

Without a published SPF record, your mail is far easier to spoof and far more likely to land in spam. Since 2024, the largest mailbox providers expect SPF, DKIM, and DMARC to be in place before they will reliably deliver bulk email.

How SPF works

The check happens in real time during the SMTP conversation. The receiving server reads the envelope sender domain, fetches that domain's SPF record, and compares the connecting IP address against the authorized sources listed in the record. A match passes SPF. No match returns a soft fail or hard fail depending on the closing qualifier you chose.

  • include: delegates authorization to a third-party sender, such as include:_spf.google.com. Each include costs at least one DNS lookup.
  • ip4: and ip6: authorize a specific address or CIDR range directly, with zero additional lookups.
  • a and mx: authorize the IPs behind the domain's own A or MX records, costing one lookup each.
  • ~all vs -all: the final qualifier decides what happens to mail from any server not listed above.

Common SPF issues

  • Too many DNS lookups. SPF allows a maximum of 10 lookups per evaluation. Exceed it and receivers return a permanent error, failing SPF for every message.
  • Missing authorized senders. Every service you send through, from your help desk to your newsletter platform, needs to be represented in the record or its mail will fail.
  • Multiple SPF records. A domain must publish exactly one SPF record. Two or more produces a PermError and breaks authentication entirely.
  • Using +all. The +all qualifier authorizes the entire internet to send as your domain, which removes any protection SPF offered.

How to fix the 10-lookup limit

When a record creeps toward 10 lookups, the goal is to reduce the number of DNS queries SPF has to resolve without dropping any legitimate sender. Work through these steps in order, then re-scan to confirm the count dropped.

  1. Remove senders you no longer use. Old platforms often linger in the record long after you stop sending through them. Each retired include you delete frees up its lookups.
  2. Flatten heavy includes to ip4 entries. If a provider publishes a stable set of IP ranges, replacing its include with explicit ip4 blocks trades multiple lookups for zero, though you then have to track their IP changes.
  3. Drop the ptr mechanism. The ptr mechanism is slow, discouraged by RFC 7208, and rarely needed. Removing it reclaims a lookup and improves reliability.
  4. Consolidate before adding. Treat the budget like a ledger. Confirm you have headroom before introducing a new sender so you never cross 10 by surprise.

SPF only checks the envelope sender, not the visible From address your recipients see. Pair it with DKIM and a DMARC policy to fully protect your domain from spoofing. Need to build a record from scratch? Use the SPF record generator.

Frequently asked

SPF record questions

How do I check if my SPF record is valid?
Enter your domain in the checker above. It performs a live DNS lookup, confirms exactly one v=spf1 TXT record exists, validates the syntax, counts the DNS lookups it resolves, and flags anything that would cause a failure. You can cross-check manually by running nslookup -type=txt yourdomain.com, but the tool also verifies the lookup count and qualifiers, which a raw lookup does not.
How many SPF records can a domain have?
Exactly one. A domain must publish a single SPF TXT record. If two or more records begin with v=spf1, SPF returns a PermError and fails for every message. To authorize another service, fold its include into your existing record rather than publishing a second one.
What is the SPF 10 DNS lookup limit and how do I fix it?
RFC 7208 caps SPF evaluation at 10 DNS lookups, counting every nested include, a, mx, ptr, exists, and redirect. Crossing it triggers a PermError that fails all mail. Fix it by removing unused includes, flattening heavy includes to ip4 ranges, and dropping the ptr mechanism, then re-scanning to confirm the count.
What is the difference between ~all and -all?
Both define what happens to mail from servers not listed in your record. ~all is a soft fail: receivers usually accept the message but mark it suspicious. -all is a hard fail: receivers are told to reject it. Start with ~all while you confirm every legitimate sender is covered, then tighten to -all for the strongest anti-spoofing posture.
What happens when an SPF check fails?
A fail means the connecting server is not authorized in your record. With -all the message is usually rejected outright. With ~all it is often accepted but treated as suspicious and more likely to be filtered. If DKIM also passes and is aligned, DMARC can still let the message through, which is why the three protocols are used together.
How long does it take for an SPF record to update?
Changes usually propagate within a few minutes to a few hours, though full global DNS propagation can take 24 to 48 hours depending on your provider and TTL settings. To speed it up, lower the TTL to around 300 seconds before editing, publish your change, then re-check the record until the new value appears.
Is an SPF record enough to stop email spoofing?
No. SPF only validates the envelope sender, not the visible From address recipients actually see. To protect the From domain you need SPF together with DKIM and a DMARC policy that tells receivers what to do when authentication fails. Since 2024, Google, Microsoft, and Yahoo require all three for bulk senders.
What does "v=spf1 include:_spf.google.com ~all" mean?
It is a common record for domains that send through Google Workspace. v=spf1 declares the SPF version, include:_spf.google.com authorizes Google's mail servers to send for your domain, and ~all soft-fails mail from any server not covered above. If you also use other sending services, add their include mechanisms to this same record.
Do I really need an SPF record?
Yes. Since 2024, Google, Microsoft, and Yahoo expect bulk senders to authenticate their mail, and SPF is one of the three records they look for alongside DKIM and DMARC. Without it, receivers cannot confirm which servers are allowed to send for your domain, so your mail is easier to spoof and more likely to be filtered. Even low-volume senders benefit, because a published SPF record is a basic trust signal that costs nothing to add.
Does an SPF record improve email deliverability?
Indirectly, yes. SPF does not boost your reputation on its own, but a missing or broken record actively hurts delivery because receivers treat unauthenticated mail with suspicion. A clean record that authorizes every legitimate sender removes one of the easiest reasons to filter you, and it is required for DMARC to pass on the SPF side. Pair it with DKIM and DMARC for the full effect.
What is SPF flattening and when do I need it?
SPF flattening replaces include mechanisms with the explicit ip4 and ip6 ranges they resolve to, which collapses several DNS lookups into zero. You only need it when your record is close to the limit of 10 lookups and you cannot remove any senders. The tradeoff is upkeep: if a provider changes its sending IPs, a flattened record goes stale and must be corrected by hand, so flatten only the heaviest includes and re-check often.
Does SPF check the From address or the envelope sender?
SPF checks the envelope sender, also called the return-path or MAIL FROM, not the From address your recipients see. That is why SPF alone cannot stop someone from spoofing your visible From line. DMARC closes that gap by requiring the SPF-authenticated domain to align with the From domain, which is why the two are used together.