SPF Record Checker

Enter any domain to look up its SPF record. We parse every mechanism and flag issues like too many DNS lookups or permissive qualifiers.

How SPF Works

When a receiving mail server gets an email claiming to be from your domain, it looks up your SPF record to see if the sending server is authorized. The record lists approved senders through mechanisms like IP addresses, included domains, and your own mail servers.

If the sending server matches one of the mechanisms, the email passes SPF. If it does not match, the qualifier at the end of the record determines what happens: -all means reject (hard fail), ~all means accept but flag (soft fail), and ?all means neutral (no policy).

SPF is one of three email authentication protocols — alongside DMARC and DKIM — that work together to protect your domain from spoofing.

Need to create or update your SPF record?

Our SPF Record Builder walks you through the process step by step.

Build SPF Record

Frequently Asked Questions

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving servers check this record to verify that incoming mail comes from an approved source, helping prevent spoofing and phishing.

How do I read an SPF record?

An SPF record starts with "v=spf1" and contains mechanisms like "include:" (authorize another domain's servers), "ip4:" (authorize a specific IP), "a" (authorize the domain's A record IP), and "mx" (authorize the domain's mail servers). It ends with a qualifier like "-all" (hard fail unauthorized) or "~all" (soft fail).

What does "too many DNS lookups" mean?

SPF has a limit of 10 DNS lookups per evaluation. Each "include:", "a", "mx", and "redirect" mechanism counts as one lookup. If your record exceeds 10, receiving servers may return a permanent error (permerror) and reject your email. Flatten includes or use subdomains to stay under the limit.

What is the difference between ~all and -all?

"~all" is a soft fail — unauthorized senders are flagged but mail is usually still delivered (possibly to spam). "-all" is a hard fail — unauthorized mail is more likely to be rejected outright. We recommend "-all" for domains with established authentication, and "~all" during initial setup to avoid blocking legitimate mail while you get includes right.

Do I need an SPF record?

Yes. Without SPF, anyone can send email pretending to be your domain, and receiving servers have no way to verify legitimacy. Gmail and Yahoo now require SPF for bulk senders (5,000+ messages/day), and most corporate email gateways use SPF as a first-pass filter. Use our SPF Record Builder to create one.