Skip to content

Free SPF Record Checker

Enter any domain to look up and validate its SPF record. Check for syntax errors, DNS lookup limits, and common configuration issues that could affect email deliverability.

What is an SPF Record?

SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing. An SPF record is a DNS TXT record published on your domain that lists all the mail servers authorized to send email on your domain's behalf.

When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to verify that the sending server is authorized. If the server isn't listed, the email can be rejected or marked as spam, protecting your domain's reputation and your recipients from phishing attacks.

How SPF Records Work

An SPF record is a single line of text added as a TXT record in your domain's DNS configuration. It always starts with v=spf1 and contains a series of mechanisms that define which servers can send email:

  • include: Authorizes another domain's SPF record (e.g., include:_spf.google.com for Google Workspace).
  • ip4: / ip6: Authorizes specific IP addresses or CIDR ranges.
  • a: Authorizes the IP address(es) from a domain's A record.
  • mx: Authorizes the IP addresses of the domain's MX (mail exchange) servers.
  • all: A catch-all mechanism, typically at the end. -all rejects unauthorized senders; ~all marks them as suspicious.

Each mechanism that requires a DNS query (include, a, mx, ptr, exists, redirect) counts toward the 10 DNS lookup limit. Going over this limit causes SPF to fail with a permanent error.

Common SPF Record Issues

Even small mistakes in SPF configuration can cause legitimate email to be rejected. Here are the most common problems:

  • Too many DNS lookups: Each include, a, mx, ptr, exists, and redirect counts as a DNS lookup. Exceeding 10 lookups causes a permanent failure. This is the most common issue for organizations using multiple email services.
  • Multiple SPF records: A domain must have exactly one SPF TXT record. Having two or more causes a permanent error, even if both records are valid individually.
  • Using +all: The +all mechanism allows any server to send email for your domain, completely defeating SPF protection. Always use -all or ~all instead.
  • Missing all mechanism: Without a trailing -all or ~all, there is no default policy for unlisted senders, which weakens protection.
  • Using deprecated ptr: The ptr mechanism is deprecated in RFC 7208 because it is slow and unreliable. Use a or ip4 instead.

SPF Records and Custom Domains

When your SaaS platform sends email on behalf of your customers using their custom domains, SPF configuration becomes critical. Each custom domain needs a properly configured SPF record that authorizes your platform's mail servers.

For example, if your platform sends transactional emails (welcome emails, password resets, notifications) from a customer's domain like notifications@app.customer.com, that domain's SPF record must include your sending infrastructure. Without it, those emails will likely end up in spam or be rejected entirely.

Managing SPF records across hundreds or thousands of customer domains can be challenging. SaaSKevin automates web custom domain onboarding with DNS routing verification, SSL provisioning, and request routing. SPF, DKIM, and DMARC configuration should be handled in your email platform setup.

Frequently Asked Questions

What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps receiving mail servers verify that incoming email from your domain was sent from an authorized server, reducing email spoofing and spam.
What does the 10 DNS lookup limit mean?
The SPF specification (RFC 7208) limits the number of DNS lookups during SPF evaluation to 10. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism triggers a DNS lookup. If your SPF record exceeds 10 lookups, the evaluation results in a permanent error (permError), and your email may not be delivered.
What is the difference between ~all and -all?
"-all" (hardfail) tells receiving servers to reject email from unauthorized senders. "~all" (softfail) tells them to accept but mark the email as suspicious. "-all" provides stronger protection but may cause issues during migration. "~all" is more forgiving and is commonly used alongside DMARC for gradual enforcement.
Can I have multiple SPF records for one domain?
No. A domain must have exactly one SPF record. If multiple SPF TXT records are found, it results in a permanent error (permError), and SPF validation fails entirely. If you need to authorize multiple senders, combine them into a single SPF record using include mechanisms.
How do I fix too many DNS lookups in my SPF record?
To reduce DNS lookups, you can: (1) replace "include" mechanisms with "ip4" or "ip6" for known static IPs, (2) use SPF flattening services that resolve includes to IP addresses, (3) remove unused or redundant include mechanisms, or (4) consolidate sending services where possible. Note that ip4 and ip6 mechanisms do not count toward the lookup limit.

Need setup examples for real SaaS products? Browse our industry guides and explore all free domain tools.

Related Tools

DMARC Checker

Look up and validate DMARC records for any domain. Check policy settings, alignment, and reporting configuration.

TXT Records

Look up and categorize TXT records for any domain. Identify SPF, DKIM, DMARC, domain verification, and other TXT records.

DNS Lookup

Free DNS record lookup tool. Check A, AAAA, CNAME, MX, TXT, NS, and SOA records for any domain instantly.