Skip to main content
DNSnexus
Free Developer Tools
DNS
Email
Network
Webmaster
Security
IP
Guides
Live Tools
60+
Categories
6
Result URLs
Shareable
Availability
24/7
DNSnexus
Free Developer Tools
Free DNS, email, network, and security diagnostics with crawlable tool pages and shareable result URLs.
Run DNS CheckBrowse All Tools
Popular Tools
DNS Propagation CheckerDNS LookupWHOIS LookupSPF Record CheckerDMARC CheckerSSL Certificate CheckerPort Scanner
Quick Path
Fix Email Deliverability
Quick Path
Troubleshoot DNS Changes
Quick Path
Validate SSL & Open Ports
DNS Tools
A Record LookupAAAA Record LookupCERT LookupCNAME LookupDNS CheckDNS LookupDNS Propagation CheckerDNSKEY LookupDS LookupIPSECKEY LookupLOC LookupNS LookupNSEC LookupNSEC3PARAM LookupReverse DNS LookupRRSIG LookupSOA LookupSRV LookupTXT LookupWHOIS Lookup
Email Tools
BIMI LookupBlacklist CheckDKIM CheckerDMARC CheckerDMARC Report AnalyzerEmail Deliverability ReportEmail Header AnalyzerEmail Health ReportGoogle/Yahoo Compliance CheckerMicrosoft Compliance CheckerMTA-STS LookupMX Record LookupSMTP TestSPF Record Checker
Network Tools
HTTP LookupHTTPS LookupMAC Address GeneratorMAC Address LookupOnline TraceroutePingSubnet Calculator
Webmaster Tools
HTTP Headers CheckSearch Presence CheckWebsite Link AnalyzerWebsite Operating System CheckWebsite Redirect CheckerWhat is My User Agent?
Security Tools
DKIM Record GeneratorDMARC GeneratorDomain DNS Security CheckEmail Security CheckerPort ScannerSPF GeneratorSSL Certificate CheckerWebsite Vulnerability Scanner
IP Tools
ARIN LookupASN LookupIP Blacklist CheckIP Geolocation LookupWhat Is My IP
Company
All Tools DirectoryGuides & PlaybooksAbout DNSnexusContactAPI DocsPrivacy PolicyTerms & ConditionsCookie Policy
© 2026 DNSnexus — DNS, Email, Network & Security Tool Platform
All ToolsAboutContactPrivacyTerms
Home ›Email Tools ›SPF Record Checker
Email Tool

SPF Record Checker

Validate your Sender Policy Framework (SPF) record. Check for syntax errors, multiple records, and the 10 DNS lookup limit to ensure your emails reach the inbox.

Published as
TXT record
Starts with v=spf1.
Limit
10 DNS lookups
Includes can hit this fast.
Waiting for input
Enter a domain, then press Check
How to Use

Use SPF Record Checker in 4 Steps

01
Enter domain
Type the domain name you send email from.
02
Check SPF
Click check to query the domain's TXT records.
03
Parse results
We automatically find and parse the v=spf1 record.
04
Fix issues
Identify syntax errors, too many lookups, or missing includes.

What is an SPF Record?

SPF (Sender Policy Framework) is a DNS-based email authentication standard defined in RFC 7208. It lets domain owners publish a list of IP addresses and services that are authorised to send email on behalf of their domain. When a receiving mail server gets an email from your domain, it looks up your SPF record in DNS and checks whether the sending IP is on the approved list.

A valid SPF record is published as a DNS TXT record at the root of your domain (e.g., example.com) and starts with v=spf1. Without SPF, anyone can forge your domain in the From header — a technique used in phishing attacks.

SPF Record Syntax Reference

ComponentExampleWhat it does
v=spf1v=spf1Required. Declares this is an SPF record. Must be first.
ip4:ip4:203.0.113.0/24Authorises a specific IPv4 address or CIDR range.
ip6:ip6:2001:db8::/32Authorises a specific IPv6 address or CIDR range.
include:include:_spf.google.comImports another domain's SPF record. Counts as 1 lookup.
aa:mail.example.comAuthorises the A/AAAA record(s) of the specified domain.
mxmxAuthorises the IP addresses in your domain's MX records.
redirect=redirect=_spf.example.comDelegates SPF entirely to another domain's record.
exists:exists:%{i}._spf.example.comPasses if a matching A record is found (advanced).
~all~allSoftfail. Non-matching senders are marked suspicious.
-all-allFail. Non-matching senders are rejected. Recommended.
+all+all⚠ Pass all. Authorises any sender — never use this.
?all?allNeutral. No policy — offers no protection.

SPF Qualifiers Explained

Each mechanism can be prefixed with a qualifier that controls what happens when it matches:

QualifierResultMeaning
+ (default)PassSender is authorised.
-FailSender is not authorised. Reject the mail.
~SoftfailSender is probably not authorised. Accept but mark.
?NeutralNo assertion. Do not use in production.

The most important qualifier is the all mechanism at the end of your record. Use -all for strict enforcement once all your sending services are included.

The 10 DNS Lookup Limit

RFC 7208 limits SPF evaluation to 10 DNS lookups. Every include:, a, mx, ptr, exists, and redirect= mechanism consumes one lookup. Exceeding 10 causes a PermError — which most receivers treat as a hard failure, breaking email delivery.

Mechanisms that count toward the limit:

MechanismLookup count
include:domain1 per include
a:domain1 per a
mx:domain1 per mx
ptr:domain1 per ptr (deprecated, avoid)
exists:domain1 per exists
redirect=domain1 for redirect + nested lookups
ip4: / ip6:0 — no lookup needed

Mechanisms that do NOT count: ip4:, ip6:, v=spf1, all, +, -, ~, ?

How to fix lookup limit exceeded:

  1. Audit all include: chains to see their nested lookups.
  2. Replace include:provider.com with ip4: ranges where the provider publishes stable IPs.
  3. Use SPF flattening — a service that resolves all includes to flat IP ranges and republishes as a single record.
  4. Consider moving some sending services to a subdomain (e.g., mail.example.com) with its own SPF.

Common SPF Errors and Fixes

ErrorCauseFix
PermError: too many DNS lookupsMore than 10 mechanisms that trigger lookupsFlatten SPF or remove unused includes
Multiple SPF records foundTwo TXT records starting with v=spf1Merge into one record — only one is allowed
No SPF record foundMissing TXT recordAdd v=spf1 [mechanisms] -all to your DNS
+all in SPF recordRecord authorises every senderReplace with -all immediately — this is a critical misconfiguration
Softfail only (~all)Weak enforcementUpgrade to -all once all senders are verified
ptr mechanism usedDeprecated mechanism that triggers reverse DNSRemove ptr — use ip4: or include: instead
Void lookup limit exceededMore than 2 lookups returning no resultsRemove mechanisms that resolve to empty results

Example SPF Records

Google Workspace only:

v=spf1 include:_spf.google.com -all

Google Workspace + Mailchimp + custom IP:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:203.0.113.42 -all

Multiple sending services (watch the lookup count):

v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.salesforce.com ip4:198.51.100.0/24 -all

Check this record's lookup count: Google (_spf.google.com) + SendGrid (sendgrid.net) + Salesforce (_spf.salesforce.com) = 3 includes at minimum, each resolving to further nested includes. Use this tool to verify you stay under 10.

How to Check SPF from the Command Line

Verify your SPF record without a browser:

# Query SPF TXT record
dig +short TXT example.com | grep v=spf1

# Same on Windows PowerShell
Resolve-DnsName -Name example.com -Type TXT | Where-Object { $_.Strings -match "v=spf1" }

# Check a specific DNS resolver (Cloudflare)
dig +short TXT example.com @1.1.1.1

# Simulate SPF check with swaks (SMTP Swiss Army Knife)
swaks --to user@example.com --from sender@yourdomain.com --server mail.example.com

SPF Alignment with DMARC

SPF alone is not sufficient for strong email security. DMARC builds on SPF (and DKIM) and requires alignment — the domain in the Return-Path header must match the From domain (for strict alignment) or be a subdomain of it (relaxed alignment).

  • SPF pass + alignment = DMARC pass from SPF
  • SPF fail → DMARC cannot pass from SPF (DKIM must pass instead)
  • A domain with SPF -all but no DMARC record still has no reporting or policy enforcement

Use the DMARC Checker to verify your DMARC policy and alignment settings alongside SPF.

Related Tools

Frequently Asked Questions

What is an SPF record and why do I need one?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers and services are authorised to send email from your domain. Without it, anyone can forge your domain in the From address — a core technique in phishing attacks. SPF is also required for DMARC to function.
Do I need SPF if I use a third-party email provider?
Yes. Your SPF record must include every service that sends mail on behalf of your domain — Google Workspace, Microsoft 365, SendGrid, Mailchimp, Salesforce, etc. Each provider documents which include: entry or IP ranges to add to your record.
Can I publish more than one SPF record?
No. A domain must have exactly one TXT record starting with v=spf1. If you publish two, SPF evaluation returns PermError and all mail from your domain will fail SPF checks. Merge all your mechanisms into a single record.
What is the SPF 10-lookup limit?
SPF evaluation is limited to 10 DNS lookups per RFC 7208. Mechanisms that trigger lookups include include:, a, mx, ptr, exists, and redirect=. Exceeding 10 causes a PermError, which most receivers treat as a hard fail. Use ip4:/ip6: mechanisms where possible as they consume zero lookups.
What's the difference between ~all and -all?
~all (softfail) accepts mail from unlisted senders but marks it as suspicious — often used during SPF rollout to monitor without blocking. -all (fail) rejects or flags mail from any sender not listed in the record and is the recommended setting for production domains once all senders are confirmed.
Why does my SPF record show +all?
+all means any server on the internet is authorised to send mail as your domain — it completely negates SPF protection. This is a critical misconfiguration. Replace it with -all immediately and list your actual sending IPs/services.
How do I fix "SPF PermError: too many DNS lookups"?
Audit each include: to count its nested lookups. Replace include: entries with explicit ip4: or ip6: ranges where the provider publishes stable IPs. For providers with dynamic ranges, use SPF flattening — a service that resolves all nested lookups into flat IP ranges and keeps them updated automatically.
Does SPF alone protect against email spoofing?
No. SPF only validates the Return-Path (envelope sender), not the visible From header. A DMARC policy ties SPF (and DKIM) alignment to the From domain and adds reporting. Without DMARC, passing SPF does not prevent display-name spoofing in email clients.

Related Tools

DMARC Checker
Validate DMARC policy and alignment.
DKIM Checker
Verify selector-based DKIM public keys.
MX Record Lookup
Confirm inbound email routing and priorities.
SMTP Test
Diagnose SMTP ports and email sending signals.
SPF Limits
Max DNS Lookups10
Max Void Lookups2
Max String Length255 chars
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.