Free SPF Record Checker Tool
Free SPF record checker — parse SPF mechanisms, verify authorized email senders, and check DNS lookup limits for any domain.
What Is SPF?
SPF (Sender Policy Framework), defined in RFC 7208, is an email authentication protocol that specifies which mail servers are authorized to send email for a domain. It works by publishing a DNS TXT record listing allowed IP addresses and domains.
Without SPF, anyone on the internet can forge the "From" address in an email to impersonate a domain. SPF gives receiving servers a way to verify that the sending server's IP address is actually authorized by the domain's administrators.
SPF Syntax Explained
An SPF record starts with "v=spf1" and contains mechanisms: "ip4:" and "ip6:" specify allowed IP ranges, "include:" references another domain's SPF record, "a" allows the domain's own A record IPs, "mx" allows IPs from MX records, and "all" is the catch-all.
Qualifiers modify evaluation: "+" means pass (default), "-" means hard fail, "~" means soft fail, and "?" means neutral. Best practice is to end with "-all" once all legitimate senders are accounted for.
SPF Best Practices
Keep the SPF record under the 10 DNS lookup limit — each "include:", "a", "mx", and "redirect" mechanism counts. Exceeding it causes a "permerror" that can result in all email failing SPF checks.
Use "-all" instead of "~all" once you're confident all legitimate senders are included. Regularly audit "include:" entries to remove unused services. If approaching the 10-lookup limit, consider flattening includes into explicit IP ranges.
Check Your SPF Record Now
Enter any domain above to parse its SPF record and see every authorized sender, IP range, and include directive. This SPF record checker validates syntax, counts DNS lookups against the 10-lookup limit, and flags common misconfigurations.
SPF works best alongside DMARC. After checking your SPF record, use the DMARC Checker to verify your authentication policy, or run a full Email Security Checker audit to assess SPF, DMARC, MTA-STS, and BIMI together.
Frequently Asked Questions
What is SPF and why is it important?
SPF (Sender Policy Framework) is an email authentication protocol that prevents email spoofing by specifying which mail servers are authorized to send email for your domain. It works by publishing a TXT record in DNS that receiving servers check during email delivery. An SPF record checker verifies this configuration is correct. Without SPF, anyone can forge emails appearing to come from your domain.
What should my SPF record look like?
An SPF record starts with "v=spf1" followed by mechanisms that authorize senders. A typical record looks like: "v=spf1 include:_spf.google.com include:sendgrid.net -all". The "include:" directives authorize third-party services, and "-all" means reject all other senders. Replace the includes with your actual email providers.
Can a domain have multiple SPF records?
No. RFC 7208 specifies that a domain must have at most one SPF record. Having multiple SPF records causes a "permerror" result, which means receiving servers cannot determine your SPF policy and may reject or flag your email. If you need to authorize multiple services, combine them into a single SPF record using multiple "include:" mechanisms.
What does the DNS lookup limit in SPF mean?
SPF allows a maximum of 10 DNS lookups when evaluating a record. Each "include:", "a", "mx", and "redirect" mechanism triggers a DNS lookup, and nested includes count toward the total. Exceeding 10 lookups causes a "permerror" that can result in all email failing SPF. To stay under the limit, consolidate includes or flatten them into explicit IP ranges.
What's the difference between "~all" and "-all" in SPF records?
"~all" (tilde) is a soft fail — it tells receiving servers that unauthorized senders should be treated with suspicion but not necessarily rejected. "-all" (hyphen) is a hard fail — it instructs receivers to reject email from unauthorized sources. Best practice is to start with "~all" during setup, then switch to "-all" once you've confirmed all legitimate senders are included.