SPF Check

Validate SPF records and count DNS lookups against the 10-lookup limit

Enter a domain to check its SPF record
Checking SPF record...

Sender Policy Framework (SPF) is a DNS-based email authentication mechanism defined in RFC 7208. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. A misconfigured SPF record can silently tank your deliverability across Gmail, Outlook, and Yahoo Mail. Use our SPF Check tool to validate your configuration in seconds.

What the SPF Checker Does

The InboxTooling SPF Check tool performs a complete validation of your domain's SPF record. It queries DNS for the TXT record, parses the SPF syntax, resolves all include, a, mx, and ip4/ip6 mechanisms, and evaluates the record against known best practices. The tool flags common errors such as exceeding the 10 DNS lookup limit, using deprecated ptr mechanisms, or missing a terminal all qualifier.

How to Use It

Enter your domain name into the SPF Check tool and submit. The checker will retrieve your SPF record from DNS and return a detailed breakdown.

Understanding the Results

  • Record Found: Confirms that a valid SPF TXT record exists at your domain's root.
  • Syntax Validation: Identifies malformed mechanisms, invalid CIDR ranges, or duplicate entries.
  • DNS Lookup Count: SPF evaluation must not exceed 10 DNS lookups (RFC 7208, Section 4.6.4). Exceeding this limit causes a permerror, and receiving servers may reject or quarantine your mail.
  • Mechanism Breakdown: Lists each mechanism (include, a, mx, ip4, ip6) with its resolved values.
  • Qualifier Analysis: Shows whether your record ends with -all (hard fail), ~all (soft fail), or ?all (neutral), and advises on which is appropriate for your setup.

Why SPF Validation Matters

Deliverability Impact

Gmail, Yahoo, and Microsoft all evaluate SPF as part of their inbound filtering. Since February 2024, Gmail and Yahoo require valid SPF or DKIM authentication for all bulk senders. A broken SPF record means your messages may land in spam or be rejected outright.

The 10-Lookup Limit

This is the most common SPF failure we see. Every include, a, mx, and redirect mechanism triggers a DNS lookup. Organizations using multiple third-party senders (marketing platforms, CRMs, support desks) quickly exceed the limit. Our checker counts lookups recursively so you can identify the problem before mailbox providers do.

SPF and DMARC Alignment

SPF alone is not enough. For DMARC to pass on the SPF side, the RFC5321.MailFrom domain must align with the RFC5322.From domain. Our Full Report evaluates this alignment alongside DKIM to give you a complete authentication picture.

Common SPF Mistakes

  • Multiple SPF records: Only one SPF record per domain is permitted. Two records cause a permerror.
  • Using +all: This authorizes the entire internet to send as your domain. Never do this.
  • Forgetting third-party senders: If you use a service like Mailchimp or SendGrid, their include must be in your record.
  • Nested includes exceeding the lookup limit: Each include can itself contain more include directives, compounding your lookup count.

FAQ

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record published at your domain's root that lists the mail servers authorized to send email on behalf of your domain. Receiving servers check this record to verify that incoming mail comes from an approved source. SPF is defined in RFC 7208.

How do I check my SPF record?

Enter your domain name in the SPF Check tool above and click "Check." The tool queries DNS for your SPF TXT record, parses the syntax, resolves all mechanisms (include, a, mx, ip4, ip6), counts DNS lookups, and reports any errors or warnings.

What is the SPF 10 DNS lookup limit?

RFC 7208 Section 4.6.4 limits SPF evaluation to 10 DNS-querying mechanisms per record. Each include, a, mx, redirect, and exists mechanism counts as one lookup. Exceeding 10 causes a permerror, meaning receiving servers may reject or quarantine your email.

What does SPF ~all vs -all mean?

The all mechanism at the end of your SPF record defines the default action for servers not listed. -all (hard fail) tells receivers to reject unauthorized mail. ~all (soft fail) marks it as suspicious but typically still delivers. For domains with DMARC enforcement, -all is recommended.

Can I have multiple SPF records on one domain?

No. RFC 7208 requires exactly one SPF record per domain. If DNS returns two or more SPF TXT records, the result is a permerror and SPF evaluation fails entirely. Merge all your authorized senders into a single record.

Does SPF alone prevent email spoofing?

No. SPF validates the envelope sender (RFC5321.MailFrom), not the visible "From" header that recipients see. An attacker can pass SPF with their own domain while spoofing yours in the "From" header. You need DMARC to enforce alignment between the authenticated domain and the visible sender.

Next Steps

After validating your SPF record, verify your DKIM configuration and check your DMARC policy. For a comprehensive view of all three protocols, run a Full Report on your domain.

Frequently Asked Questions

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record published at your domain's root that lists the mail servers authorized to send email on behalf of your domain. Receiving servers check this record to verify that incoming mail comes from an approved source. SPF is defined in RFC 7208.

How do I check my SPF record?

Enter your domain name in the SPF Check tool above and click "Check." The tool queries DNS for your SPF TXT record, parses the syntax, resolves all mechanisms (include, a, mx, ip4, ip6), counts DNS lookups, and reports any errors or warnings.

What is the SPF 10 DNS lookup limit?

RFC 7208 Section 4.6.4 limits SPF evaluation to 10 DNS-querying mechanisms per record. Each include, a, mx, redirect, and exists mechanism counts as one lookup. Exceeding 10 causes a permerror, meaning receiving servers may reject or quarantine your email.

What does SPF `~all` vs `-all` mean?

The all mechanism at the end of your SPF record defines the default action for servers not listed. -all (hard fail) tells receivers to reject unauthorized mail. ~all (soft fail) marks it as suspicious but typically still delivers. For domains with DMARC enforcement, -all is recommended.

Can I have multiple SPF records on one domain?

No. RFC 7208 requires exactly one SPF record per domain. If DNS returns two or more SPF TXT records, the result is a permerror and SPF evaluation fails entirely. Merge all your authorized senders into a single record.

Does SPF alone prevent email spoofing?

No. SPF validates the envelope sender (RFC5321.MailFrom), not the visible "From" header that recipients see. An attacker can pass SPF with their own domain while spoofing yours in the "From" header. You need DMARC to enforce alignment between the authenticated domain and the visible sender.