Free SPF Record Checker
Enter any domain to instantly validate its SPF record. See every mechanism, count DNS lookups against the 10 lookup limit, inspect the include tree, and check the fail policy. Detect PermErrors before they break your email delivery.
Need to create an SPF record? Use our SPF Generator. Hitting the 10 lookup limit? Try the SPF Flattener.
What Is an SPF Record?
SPF (Sender Policy Framework) is a DNS TXT record that lists the mail servers authorised to send email for your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to see if the sending IP is on the list. If it is not, the server can flag or reject the message.
An SPF record looks like this:
Each include:mechanism references another domain's SPF record, and the ~allat the end says "soft fail anything not listed."
The 10 DNS Lookup Limit
RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include:, a:, mx:, and redirect= mechanism counts as one or more lookups. Exceeding this limit causes a PermError, which means SPF fails for every message, not just some. This tool counts your lookups and warns you if you are over the limit.
If you are over the limit, read our guide on how to fix SPF too many DNS lookups or use the SPF Flattener to resolve all includes to IP addresses.
SPF Fail Policies Explained
| Qualifier | Meaning | Recommendation |
|---|---|---|
| ~all | Soft fail. Non-matching senders are flagged. | Recommended with DMARC |
| -all | Hard fail. Non-matching senders are rejected. | Safe for non-mail domains |
| ?all | Neutral. No assertion about non-matching senders. | Provides no protection |
| +all | Pass all. Allows anyone to send. | Never use this |
For a deeper explanation, read our SPF Hard Fail vs Soft Fail guide.
What This Tool Checks
- SPF record presence: Whether a valid SPF TXT record exists for the domain
- DNS lookup count: Total lookups against the 10 lookup limit
- Mechanisms: Every include, ip4, ip6, a, mx, and redirect mechanism
- Include tree: Nested resolution of all include chains
- Fail policy: The all qualifier and what it means
- Multiple records: Detection of duplicate SPF records (causes PermError)
- DMARC context: Whether a DMARC record exists alongside SPF
SPF and DMARC: Why You Need Both
SPF alone does not prevent email spoofing. An attacker can send email that passes SPF by using their own domain in the envelope sender while displaying your domain in the visible "From" header. DMARC solves this by requiring that the domain in the "From" header aligns with the domain that passed SPF (or DKIM). Without DMARC, SPF is a partial defence at best.
Check your complete email authentication setup with our DMARC Checker or run a Security Grade check for a full security posture assessment.
Frequently Asked Questions
What happens if my SPF record has more than 10 lookups?
Exceeding the 10 DNS lookup limit causes a PermError. When this happens, SPF fails for every message your domain sends, regardless of whether the sender is authorised. Use our SPF Flattener to resolve all includes to IP addresses and eliminate the lookup problem.
Should I use ~all or -all?
If you have DMARC enforcement (p=quarantine or p=reject), use ~all (soft fail). DMARC handles the enforcement, and soft fail avoids edge cases where legitimate forwarded mail is rejected. Use -all (hard fail) only for domains that do not send email at all.
Can I have multiple SPF records?
No. RFC 7208 requires exactly one SPF TXT record per domain. If multiple SPF records exist, this is a PermError and SPF will fail for all messages. Merge all mechanisms into a single record.
Does SPF affect my Security Grade?
Yes. A valid SPF record within the 10 lookup limit is required for the Security Grade and above. Check your Security Grade to see how SPF contributes to your overall domain security score.