SPF Record Checker
Parse every mechanism, count DNS lookups against the RFC 7208 limit of 10, and flag common misconfigurations.
What is SPF?
Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources.
SPF records are evaluated left to right, with each mechanism checked in order. The first match determines the result. A critical constraint is the 10 DNS lookup limit: mechanisms like include, a, mx, redirect, and exists each consume one lookup. Exceeding 10 causes a permanent error (permerror), and many receivers treat the record as invalid.
Best practice is to end your SPF record with -all (hard fail) to explicitly reject unauthorized senders. During initial setup, ~all (soft fail) can be used while confirming all legitimate senders are covered.
SPF Mechanisms
| Mechanism | DNS Lookup | Description |
|---|---|---|
all | No | Catch-all default, typically the last mechanism. |
ip4 / ip6 | No | Match specific IP address or CIDR range. |
a | Yes | Match A/AAAA records of the specified domain. |
mx | Yes | Match MX hosts for the specified domain. |
include | Yes | Recursively evaluate another domain's SPF record. |
redirect | Yes | Replace evaluation with another domain's record. |
exists | Yes | Match if an A record exists for the given domain. |
Our SPF Supply Chain 2026 study found that 4.8% of SPF-enabled domains exceed the 10-lookup limit and 53.6% still use softfail instead of hardfail.
Read the complete SPF guide to learn more.
SPF setup guides by provider
Walk-through guides with the exact records, admin-UI steps, and common-mistake fixes for each provider we cover.
Frequently asked questions
How do I check my SPF record?
Enter your domain. The checker reads the TXT record beginning v=spf1, expands every include, a, mx, and redirect mechanism, and counts the DNS lookups they trigger against the RFC 7208 limit of 10 — the most common cause of SPF PermError.
What is the SPF 10-lookup limit?
RFC 7208 caps an SPF evaluation at 10 DNS-querying mechanisms (include, a, mx, ptr, exists, redirect). Exceeding it returns PermError, which most receivers treat as a failure. Flattening or removing unused includes brings you back under the limit.
What does SPF PermError mean?
PermError signals a permanent problem evaluating SPF — usually more than 10 DNS lookups, multiple SPF records on one domain, or invalid syntax. Receivers cannot determine a result, so the message is treated as unauthenticated. Fix it by flattening includes or merging duplicate records.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free