SPF Checker
What Is SPF and Why Does It Matter?
SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing. It works by allowing domain owners to publish a DNS TXT record that lists all mail servers authorized to send email on behalf of their domain. When a receiving mail server gets a message, it checks the SPF record to verify that the sending server is permitted to send for that domain.
An SPF record starts with "v=spf1" and contains a series of mechanisms that define authorized senders. Common mechanisms include "ip4" and "ip6" (specific IP addresses or ranges), "include" (authorized servers from another domain's SPF record), "a" (the domain's own A record IP), and "mx" (the domain's mail server IPs). The record ends with an "all" mechanism that defines the policy for servers not explicitly authorized.
One of the most critical constraints of SPF is the 10 DNS lookup limit defined in RFC 7208. Each "include", "a", "mx", "ptr", and "exists" mechanism requires a DNS lookup during SPF evaluation. If an SPF record exceeds 10 lookups (including nested lookups from included records), the evaluation fails with a "permerror" result. This is a common issue for organizations using multiple email services, each requiring its own "include" statement.
Our SPF checker tool retrieves the SPF record for any domain, validates its syntax, parses each mechanism, counts the total DNS lookups, and identifies potential issues. It helps email administrators ensure their SPF configuration is correct and within the lookup limit, which is essential for reliable email delivery.
SPF works best when combined with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together, these three protocols form a comprehensive email authentication framework that protects against spoofing, phishing, and unauthorized email use. Use our DKIM Checker and DMARC Checker to verify the complete authentication chain.
Frequently Asked Questions
What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of a domain. Receiving servers check this record to verify whether a sending server is permitted, helping prevent email spoofing.
What is the SPF 10 DNS lookup limit?
RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include, a, mx, ptr, and exists mechanism counts as one lookup. Exceeding this limit causes a permerror, which means the SPF check fails. Use ip4 and ip6 mechanisms where possible to reduce lookup count.
What does ~all vs -all mean in SPF?
The all mechanism defines the default policy. -all (hard fail) rejects unauthorized servers outright. ~all (soft fail) marks them as suspicious but does not necessarily reject. Most experts recommend ~all or -all for proper protection.
How do I fix an invalid SPF record?
Common issues include multiple SPF records (only one allowed), exceeding the 10 DNS lookup limit, syntax errors, and missing the v=spf1 prefix. Use this checker to identify the specific issue, then update your DNS TXT record.