Free — No Signup Required

SPF Record Checker

Validate your SPF record, check your DNS lookup count, and see the full sender tree — instantly.

No signup required — instant SPF record analysis.

What we check

Everything your SPF record needs to do

A valid SPF record is more than just being present. These are the things that matter.

Record present

A TXT record at your root domain starting with v=spf1. Without this, receiving servers have nothing to check.

DNS lookup count

The spec hard-limits you to 10 DNS lookups. Exceeding this causes a PermError — legitimate email can start failing silently.

All mechanism

The trailing ~all or -all tells servers what to do with email from unlisted sources. ~all is lenient; -all enforces strict rejection.

Authorised senders

Every mail server, ESP, and SaaS tool that sends email on your behalf must be included. Missing one means their emails may fail SPF.

SPF Questions

The things people ask us most about SPF records.

What is an SPF record?

SPF (Sender Policy Framework) is a DNS TXT record that lists every mail server authorised to send email on behalf of your domain. Receiving servers check this list — if an email comes from a server not on it, it's likely fraudulent.

What does the DNS lookup count mean?

SPF records can reference other domains using "include:" mechanisms, each requiring a separate DNS lookup. The SPF spec limits you to 10 lookups. Exceeding this causes a PermError, which can break email delivery even for legitimate senders.

What is the difference between ~all and -all?

~all is a soft fail — emails from unlisted servers are marked suspicious but delivered. -all is a hard fail — those emails are rejected. For strong protection, use -all once you're certain all your sending sources are listed.

Why does my SPF record show too many lookups?

Every "include:", "a:", "mx:", and "exists:" mechanism counts as a lookup. If you use many email services (Google, Sendgrid, HubSpot, etc.) it's easy to exceed 10. You'll need to flatten your SPF record or use a macro-based approach.

Does SPF alone protect me from spoofing?

No. SPF only checks the envelope sender (the Return-Path), not the From header that users see. DMARC ties SPF and DKIM together and checks alignment with the visible From address. You need all three for full protection.

SPF is just one layer

SPF alone doesn't stop spoofing. You need DMARC to enforce policy and DKIM to sign your emails. Check all three with our free tools.

Check DMARC record →Generate a DMARC record