Validate your Sender Policy Framework record instantly. Detect syntax errors, DNS lookup overflows, and insecure policies that enable email spoofing.
Sender Policy Framework (SPF) is one of the three pillars of email authentication, alongside DKIM and DMARC. Published as a DNS TXT record, SPF tells the world exactly which mail servers are allowed to send email using your domain name. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to verify the sending server is on the approved list.
Without a properly configured SPF record, attackers can send emails that appear to come from your domain, a technique known as email spoofing. These spoofed emails are commonly used in phishing attacks, business email compromise (BEC) fraud, and spam campaigns. According to the FBI's Internet Crime Report, BEC attacks accounted for over $2.7 billion in losses in a single year, making email authentication not just a technical best practice but a business imperative.
An SPF record is a single line of text in your DNS zone that starts with v=spf1 and ends with an all mechanism. Between those markers, you list the IP addresses and domains that are permitted to send on your behalf. For example, if you use Google Workspace and Mailchimp, your SPF record would include their respective include: directives.
Common SPF pitfalls include exceeding the 10 DNS lookup limit (which causes your entire record to fail), using a permissive +all or ?all mechanism, publishing multiple SPF records on the same domain, and including overly broad IP ranges. Our SPF checker detects all of these issues and provides clear guidance on how to fix them.
SPF alone doesn't guarantee full email security. It needs to work in tandem with DKIM for message integrity and DMARC for policy enforcement. For a complete picture of your domain's email security, run a full domain security scan.
Type your domain name in the search box above. No need to add "www" or "https", just the bare domain like example.com.
We query your domain's DNS TXT records to find the SPF record, then parse every mechanism, qualifier, and modifier.
Each element is checked against RFC 7208: lookup count, syntax, included domains, IP ranges, and the final "all" qualifier.
You receive a grade from A+ to F along with specific, actionable steps to fix any problems we found.
An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. Without an SPF record, any server on the internet can claim to send email as your domain, making it trivial for attackers to spoof your address in phishing campaigns. Publishing a valid SPF record tells receiving mail servers which IP addresses and hostnames are legitimate senders for your domain.
The SPF specification (RFC 7208) limits you to 10 DNS lookup mechanisms per record. Each "include:", "a:", "mx:", "redirect=", and "exists:" counts as a lookup. To fix this, flatten your SPF record by replacing include mechanisms with their resolved IP addresses using ip4: and ip6: mechanisms, remove unused include statements, or consolidate mail services. Our SPF checker highlights exactly which mechanisms contribute to your lookup count.
Don't stop at SPF. Scan your domain for DKIM, DMARC, SSL, DNSSEC, and security headers too. One scan, complete visibility.
The "all" mechanism at the end of your SPF record defines the default policy for servers not explicitly listed. "-all" (hard fail) rejects unauthorised senders outright, "~all" (soft fail) marks them as suspicious but still delivers, and "?all" (neutral) takes no action. For maximum protection, use "-all" to tell receiving servers to reject emails from unlisted sources.
No. The SPF standard requires exactly one SPF TXT record per domain. Having multiple SPF records causes a "PermError" result, meaning receiving servers may treat all your email as unauthenticated. If you need to authorise multiple services, combine them into a single SPF record using include: mechanisms.
Our SPF checker evaluates your record against best practices and the RFC 7208 specification. An A+ grade means a valid, strict record with "-all" and well within the 10-lookup limit. Lower grades indicate issues like soft fail policies, approaching the lookup limit, overly broad mechanisms (e.g., +all), syntax errors, or a missing SPF record entirely.