SPF Record Checker

What Is an SPF Record?

An SPF (Sender Policy Framework) record is a type of DNS TXT record that identifies which mail servers are permitted to send email on behalf of your domain. It's one of the three pillars of email authentication — alongside DKIM and DMARC — and plays a critical role in preventing email spoofing, phishing, and spam.

When someone receives an email claiming to be from @yourdomain.com, their mail server looks up your domain's SPF record to check whether the sending server's IP address is authorized. If the IP isn't listed, the email may be flagged as suspicious, sent to spam, or rejected entirely — depending on your SPF policy and the receiver's configuration.

How SPF Records Work

SPF records are published as DNS TXT records on your domain. Here's the evaluation process when an email is received:

1. The receiving mail server extracts the envelope sender domain (the Return-Path or MAIL FROM address, not the visible “From” header).
2. It performs a DNS TXT lookup on that domain and finds the record starting with v=spf1.
3. It evaluates each mechanism in order (left to right) against the connecting server's IP address.
4. The first mechanism that matches determines the result: Pass, Fail, SoftFail, or Neutral.
5. If no mechanism matches and the record doesn't end with all, the result is Neutral.

SPF Mechanism Reference

SPF records consist of mechanisms that define authorized senders. Each mechanism can be prefixed with a qualifier:

• + (Pass) — Authorize the sender (default if no qualifier specified)
• - (Fail) — Reject the sender
• ~ (SoftFail) — Accept but mark as suspicious
• ? (Neutral) — No opinion on the sender

Common Mechanisms

• ip4:192.168.1.0/24 — Matches a specific IPv4 address or CIDR range. The most precise way to authorize sending servers.
• ip6:2001:db8::/32 — Same as ip4 but for IPv6 addresses.
• include:_spf.google.com — Includes the SPF record of another domain. Commonly used for email providers (Google Workspace, Microsoft 365, SendGrid, etc.).
• a — Matches the domain's own A record. Use when your web server also sends email.
• mx — Matches the domain's MX record IPs. Use when your incoming mail servers also send outbound email.
• all — Matches everything. Always placed last with a qualifier to define the default policy.

The 10 DNS Lookup Limit

RFC 7208 imposes a strict limit of 10 DNS lookups during SPF evaluation. This is one of the most common issues with SPF records, especially for organizations using multiple email services.

Mechanisms that count toward this limit: include, a, mx, ptr, exists, and redirect. Note that ip4 and ip6 do not count because they don't require DNS lookups.

If your SPF record exceeds 10 lookups, the result is a PermError — SPF validation fails completely, which is worse than having no SPF record at all. Our checker tool shows your current lookup count so you can stay within the limit.

Common SPF Issues and How to Fix Them

No SPF Record

Without an SPF record, anyone can send email pretending to be from your domain. Add a TXT record starting with v=spf1 that lists your authorized senders, ending with ~all or -all.

Using +all

The +all mechanism authorizes every server on the internet to send email as your domain. This completely defeats the purpose of SPF. Change it to ~all (softfail) or -all (hardfail) immediately.

Too Many DNS Lookups

If you're over the 10-lookup limit, consider: (1) replacing include mechanisms with direct ip4/ip6 ranges, (2) consolidating email services, or (3) using an SPF flattening service that resolves includes into IP addresses.

Multiple SPF Records

Having two or more TXT records starting with v=spf1 on the same domain causes a PermError. Combine all mechanisms into a single record.

SPF, DKIM, and DMARC — The Email Authentication Stack

SPF is just one piece of the email authentication puzzle. For comprehensive protection against email spoofing:

• SPF verifies that the sending server's IP is authorized by the domain owner. Use our SPF checker to validate your record.
• DKIM adds a cryptographic signature to emails, proving the content hasn't been tampered with in transit.
• DMARC ties SPF and DKIM together with a policy that tells receivers what to do when authentication fails.

All three should be configured for every domain that sends email. Use our DKIM checker and DMARC checker to validate your complete email authentication setup.

SPF Records for Popular Email Providers

• Google Workspace: v=spf1 include:_spf.google.com ~all
• Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
• SendGrid: v=spf1 include:sendgrid.net ~all
• Mailchimp: v=spf1 include:servers.mcsv.net ~all
• Amazon SES: v=spf1 include:amazonses.com ~all
• Postmark: v=spf1 include:spf.mtasv.net ~all

If you use multiple services, combine all include mechanisms into a single SPF record and keep an eye on the 10-lookup limit.

Frequently Asked Questions About SPF Records

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent email spoofing by letting receiving servers verify that incoming messages come from authorized sources.

How do I check my SPF record?

Enter your domain name in the SPF checker tool above and click “Check SPF.” The tool queries DNS for TXT records, finds the SPF record, parses all mechanisms, and provides a security grade with actionable recommendations.

What does ~all vs -all mean in SPF?

~all (softfail) marks unauthorized emails as suspicious but still delivers them. -all (hardfail) instructs receivers to reject unauthorized emails outright. Use -all when you're confident all legitimate senders are listed.

What is the SPF 10 DNS lookup limit?

SPF evaluation is limited to 10 DNS lookups per RFC 7208. Exceeding this limit causes a PermError, failing SPF validation entirely. Use ip4/ip6 (which don't count) instead of include where possible.

How do I fix a missing SPF record?

Add a TXT record to your DNS. For Google Workspace: v=spf1 include:_spf.google.com ~all. For Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all. Combine services into one record.

Can I have multiple SPF records?

No. Multiple SPF records cause a PermError. Combine all mechanisms into a single v=spf1 record. For example: v=spf1 include:_spf.google.com include:sendgrid.net ~all.

How does SPF relate to DKIM and DMARC?

SPF verifies the sending server, DKIM verifies message integrity via cryptographic signatures, and DMARC ties them together with a policy. All three should be configured for comprehensive email authentication.

Does SPF prevent all email spoofing?

No. SPF only checks the envelope sender (Return-Path), not the visible “From” header that users see. An attacker can pass SPF by sending from an authorized server while spoofing the From header. DMARC addresses this gap by requiring alignment between the From header and the authenticated domain.