SPF Record Checker

What is an SPF Record?

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It is one of the key email authentication protocols, alongside DKIM and DMARC, that helps prevent email spoofing and phishing attacks.

An SPF record starts with v=spf1 and contains a list of mechanisms that define which servers can send mail for the domain. For example:

v=spf1 include:_spf.google.com ~all

This record allows Google's mail servers to send email on behalf of the domain, and soft-fails everything else.

SPF Mechanisms Explained

• include: Authorizes the SPF record of another domain (e.g., include:_spf.google.com)
• ip4: Authorizes a specific IPv4 address or CIDR range (e.g., ip4:192.168.1.0/24)
• ip6: Authorizes a specific IPv6 address or range
• a: Authorizes the A record IP of the domain
• mx: Authorizes the domain's MX record IPs
• all: Matches everything — used as the final catch-all mechanism
• redirect= Points to another domain's SPF record entirely
• exists: Advanced macro-based mechanism for conditional checks

SPF Qualifiers

Each mechanism in an SPF record can have a qualifier prefix that determines what happens when a match occurs:

How to Use the SPF Checker?

• Enter Domain: Type the domain name you want to check (e.g., example.com). No need to include "http://" or "www." — the tool handles that automatically.
• Click Check SPF Record: The tool queries Cloudflare's DNS over HTTPS API to fetch TXT records for the domain.
• View Results: See the raw SPF record, parsed mechanisms with qualifiers, and any other TXT records found.
• Copy Record: Use the copy button to copy the raw SPF record to your clipboard.

Common SPF Configuration Mistakes

• Multiple SPF Records: A domain must have only one SPF record. Having two or more is invalid per RFC 7208 and may cause unpredictable email delivery.
• Exceeding 10 DNS Lookups: SPF has a limit of 10 DNS lookups. Using too many include: mechanisms can exceed this limit and cause a PermError.
• Using +all: Setting +all authorizes any server to send email, effectively disabling SPF protection. Always use ~all or -all.
• Missing SPF Record: Not having an SPF record at all can lead to email delivery issues and makes your domain vulnerable to spoofing.
• Using PTR: The ptr mechanism is deprecated (RFC 7208) due to performance issues. Use ip4/ip6 instead.

Frequently Asked Questions (FAQs)

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of a domain. It helps prevent email spoofing and phishing.

How does an SPF Checker work?

An SPF Checker queries the DNS TXT records for a given domain, identifies the SPF record (starting with v=spf1), and parses its mechanisms such as include, ip4, ip6, mx, a, and the all qualifier.

What does ~all mean in an SPF record?

The ~all mechanism means SoftFail — emails from non-authorized servers will be accepted but marked as suspicious. -all means hard fail (reject), +all means allow all (not recommended), and ?all means neutral.

Can a domain have multiple SPF records?

No, a domain should have only one SPF record. Having multiple SPF records is a configuration error per RFC 7208 and may cause email delivery issues. Multiple records should be merged into one.

What is the SPF 10 DNS lookup limit?

SPF has a limit of 10 DNS lookups (including include, a, mx, ptr, exists, and redirect mechanisms). Exceeding this limit causes a PermError, which may result in email delivery failures.