SPF Record Checker
Parse every mechanism, count DNS lookups against the RFC 7208 limit of 10, and flag common misconfigurations.
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources.
SPF records are evaluated left to right, with each mechanism checked in order. The first match determines the result. A critical constraint is the 10 DNS lookup limit: mechanisms like include, a, mx, redirect, and exists each consume one lookup. Exceeding 10 causes a permanent error (permerror), and many receivers treat the record as invalid.
Best practice is to end your SPF record with -all (hard fail) to explicitly reject unauthorized senders. During initial setup, ~all (soft fail) can be used while confirming all legitimate senders are covered.
SPF Mechanisms
| Mechanism | DNS Lookup | Description |
|---|---|---|
all | No | Catch-all default, typically the last mechanism. |
ip4 / ip6 | No | Match specific IP address or CIDR range. |
a | Yes | Match A/AAAA records of the specified domain. |
mx | Yes | Match MX hosts for the specified domain. |
include | Yes | Recursively evaluate another domain's SPF record. |
redirect | Yes | Replace evaluation with another domain's record. |
exists | Yes | Match if an A record exists for the given domain. |
Our SPF Supply Chain 2026 study found that 4.8% of SPF-enabled domains exceed the 10-lookup limit and 53.6% still use softfail instead of hardfail.
Read the complete SPF guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free