SPF Record Checker

Look up any domain’s SPF record, parse every mechanism, and get an instant assessment of your configuration. Free SPF validator — no signup required.

Queries DNS-over-HTTPS · RFC 7208 compliant checks · Instant results

What is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication mechanism defined in RFC 7208. It allows domain owners to specify which mail servers are permitted to send email on behalf of their domain by publishing a TXT record in their DNS.

When a receiving mail server gets an email claiming to be from your domain, it queries your DNS for an SPF record and checks whether the sending server’s IP address is listed. If the IP is not authorised, the receiving server can reject or mark the message as suspicious — depending on your policy.

SPF is one of three email authentication standards, alongside DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). All three work together to protect your domain from spoofing and improve deliverability.

Standard

RFC 7208

Published April 2014

Record type

DNS TXT

At the domain root (@)

Max lookups

10

Per RFC 7208 §4.6.4

How SPF works

SPF authentication follows a straightforward four-step process when a receiving server handles an incoming message:

01

Enter your domain

Type your domain name (e.g. example.com) — no protocol or path needed.

02

DNS lookup

The checker queries Google's DNS-over-HTTPS API for TXT records on your domain and filters for the SPF record.

03

Mechanism parsing

Every mechanism (include, ip4, mx, a, all, etc.) is extracted, its qualifier identified, and cross-referenced against RFC 7208.

04

Assessment

The record is assessed for common misconfigurations: missing all mechanism, +all, excessive DNS lookups, and deprecated ptr mechanisms.

SPF mechanisms explained

An SPF record consists of mechanisms that define which senders are authorised. Each mechanism can have a qualifier:+pass (default),-fail,~softfail, or?neutral.

includeinclude:sendgrid.net

Delegates to another domain's SPF policy. Used to authorise third-party senders like SendGrid, Mailchimp, or Google Workspace.

ip4ip4:203.0.113.0/24

Directly authorises an IPv4 address or CIDR range. Use this for your own mail servers with fixed IP addresses.

ip6ip6:2001:db8::/32

Directly authorises an IPv6 address or prefix. Same as ip4 but for IPv6 addresses.

mxmx

Authorises all servers listed in your domain's MX records. Useful if your inbound and outbound mail servers are the same.

aa

Authorises the IP address(es) in your domain's A or AAAA records. Useful for single-server setups.

all-all

The catch-all mechanism. Always the last mechanism. -all rejects anything not matched; ~all softfails it; +all (dangerous) allows everything.

Example SPF record

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all

This record authorises Google Workspace, SendGrid, and a specific IP address, then rejects all other senders.

How to set up an SPF record

Setting up SPF for your domain requires publishing a single DNS TXT record. Here is how to do it step by step:

01

Identify all your sending sources

List every service that sends email using your domain: your mail server, email marketing platform (Mailchimp, Brevo, SendGrid), CRM, transactional email service, and any other third-party sender.

02

Find the SPF include value for each service

Most major email services publish their authorised IP ranges as an SPF include. Check your provider's documentation — for example, Google Workspace uses include:_spf.google.com.

03

Build your SPF record

Combine all your senders into a single TXT record. Start with v=spf1, add include: for each service and ip4:/ip6: for your own servers, then end with -all.

04

Publish the TXT record in your DNS

Add a TXT record at your domain root (@) with your SPF string. The TTL should be 3600 (1 hour) or lower to allow quick updates if needed.

05

Verify with this checker

After DNS propagation (up to 48 hours), enter your domain in the SPF checker above to confirm the record is published correctly and passes validation.

Common SPF mistakes

These are the most frequently encountered SPF configuration errors and how to avoid them:

Using +all

+all authorises every mail server on the internet to send on your behalf, making SPF completely ineffective. Always use -all or ~all.

Multiple SPF records

Publishing two or more TXT records starting with v=spf1 causes a PermError. Merge all your mechanisms into one record.

Exceeding 10 DNS lookups

Too many include, a, mx, or exists mechanisms causes a PermError. Flatten your SPF record or use macros to reduce lookup count.

Missing the -all or ~all

Without an all mechanism, your SPF policy has no defined behaviour for unauthorised senders. Always end with ~all or -all.

Using the ptr mechanism

The ptr mechanism is deprecated in RFC 7208 due to unreliability and performance issues. Replace it with ip4 or ip6 mechanisms.

Not including all sending services

If you send via CRM, marketing tools, or transactional email services without adding their include, your legitimate mail will fail SPF.

Frequently asked questions

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. It helps receiving mail servers verify that an incoming message from your domain was sent from a server you trust.

What does v=spf1 mean?

v=spf1 is the version tag that identifies the TXT record as an SPF record. All SPF records must begin with v=spf1. Anything that does not start with this string is not an SPF record and will be ignored by receiving mail servers.

What is the difference between ~all and -all?

~all (softfail) means that mail from unlisted servers should be accepted but marked as suspicious. -all (hardfail) means mail from unlisted servers should be rejected outright. For best protection, use -all once you are confident all your legitimate sending sources are listed.

What is the SPF DNS lookup limit?

RFC 7208 limits SPF evaluation to 10 DNS-querying mechanisms per record. Mechanisms that count toward this limit include include, a, mx, ptr, and exists. If your record causes more than 10 lookups, receiving servers will return a PermError and your SPF check will fail.

Can I have multiple SPF records?

No. You must have exactly one SPF TXT record per domain. If you publish more than one TXT record starting with v=spf1, receiving servers will return a PermError and ignore your SPF policy entirely. Combine all your authorised senders into a single record.

Does SPF prevent spoofing?

SPF authenticates the envelope sender (MAIL FROM), not the From: header visible to end users. On its own, SPF does not prevent display-name spoofing. For comprehensive protection, combine SPF with DKIM and a DMARC policy of p=quarantine or p=reject.

Want a full compliance scan?

Try MailRadar

SPF is just one part of email authentication. MailRadar checks SPF, DKIM, DMARC, BIMI, EU blacklists, GDPR compliance, and country-specific email regulations — all in one scan.

Run a full compliance scan — it’s free

No signup · No cookies · Results in seconds