Limited time: 50% OFF on your first payment.

Check Your SPF Record

Verify your SPF (Sender Policy Framework) DNS record for free. Ensure your domain is authorized to send emails.

Enter Your Domain

You have 5 more free checks today.

What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol defined in RFC 7208. It works by publishing a DNS TXT record under your domain listing every IP address or hostname allowed to send mail "from" that domain. When a receiving mail server gets a message claiming to be from you, it queries your DNS to verify whether the sending server's IP is on your approved list.

Without SPF, anyone can forge the return-path (envelope From) of an email and make it appear to come from your domain — a technique commonly used in phishing and spam campaigns.

Why do you need SPF?

1Prevents spoofing

Stops bad actors forging your domain as the sending address

2Improves deliverability

Receiving servers trust authorized senders and reduce spam scores

3Required for DMARC

SPF is one of two mechanisms DMARC relies on for alignment

4Reputation protection

Unauthorized senders can't damage your domain's sending reputation

How SPF works — step by step

1

You publish a TXT record at `_your-domain.com` listing authorized IPs and includes.

2

Your mail server sends an email; the envelope "From" address carries your domain.

3

The receiving server extracts the sending IP and the envelope From domain.

4

It queries your DNS for the SPF record and checks if the sending IP is listed.

5

Result is `pass`, `fail`, `softfail`, `neutral`, or `permerror` — used in spam filtering decisions.

SPF record syntax

DNS TXT record example
v=spf1 ip4:203.0.113.10 include:_spf.google.com include:sendgrid.net -all

Mechanism breakdown

v=spf1— version, always first
ip4:— authorize an IPv4 address/range
ip6:— authorize an IPv6 address/range
include:— inherit another domain's SPF
a— authorize the domain's A record IP
mx— authorize the domain's MX servers
redirect=— delegate to another domain's full SPF

Qualifiers (prefix each mechanism)

+ (default)Pass — authorized
-Fail — reject unauthorized senders
~SoftFail — mark as suspicious, don't reject
?Neutral — no assertion

Common SPF failures and fixes

Too many DNS lookups

Flatten your SPF record by replacing includes with raw IPs, or use an SPF flattening service

Missing a sending service

Add the service's include: tag (e.g. Mailchimp, Zendesk) to your SPF record

Multiple SPF records

Only ONE TXT record with v=spf1 is allowed — merge them into a single record

Forwarded emails

SPF breaks on forwarding because the forwarding server's IP isn't in your list — DKIM solves this

FAQs

Frequently Asked Questions

An SPF (Sender Policy Framework) record is a TXT entry in your DNS that lists all IP addresses and domains authorized to send email on your behalf. By defining your authorized senders, you prevent spammers from using your domain for phishing, which protects your domain's reputation and ensures your legitimate emails reach the inbox.

SPF records have a strict limit of 10 DNS lookups to prevent 'denial of service' attacks on DNS servers. Every 'include', 'a', 'mx', 'ptr', and 'exists' mechanism counts toward this limit. If you exceed 10, your SPF record will fail (PermError). You can avoid this by 'flattening' your record, using IP addresses instead of hostnames, or removing outdated services.

The '~all' mechanism (SoftFail) suggests that if an email fails SPF, it should be accepted but marked as suspicious or moved to spam. The '-all' mechanism (Fail) is a stricter instruction telling servers to reject the email entirely if it doesn't originate from an authorized source. Most experts recommend starting with '~all' and moving to '-all' once your setup is verified.

A 'PermError' (Permanent Error) usually occurs when your SPF record is syntactically incorrect or exceeds the 10-lookup limit. Common syntax errors include having multiple SPF records, using invalid mechanisms, or having typos in IP ranges. Our SPF checker identifies these specific errors so you can fix them immediately.

No, a domain must have exactly one SPF record starting with 'v=spf1'. Having multiple SPF records will cause an automatic failure (PermError) at most receiving servers. If you need to authorize multiple services, you must merge them into a single string of mechanisms within one record.

SPF allows a maximum of 10 DNS lookups, and include mechanisms for providers like Google or SendGrid each add to that count. Reduce them by replacing some includes with direct ip4 or ip6 entries, removing unused senders, or using SPF flattening to consolidate lookups into fewer entries.