Skip to main content
SPF

SPF Record Checker

Parse every mechanism, count DNS lookups against the RFC 7208 limit of 10, and flag common misconfigurations.

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol defined in RFC 7208. It allows domain owners to publish a DNS TXT record specifying which mail servers are authorized to send email on behalf of their domain. Receiving servers check incoming mail against this record and can reject or flag messages from unauthorized sources.

SPF records are evaluated left to right, with each mechanism checked in order. The first match determines the result. A critical constraint is the 10 DNS lookup limit: mechanisms like include, a, mx, redirect, and exists each consume one lookup. Exceeding 10 causes a permanent error (permerror), and many receivers treat the record as invalid.

Best practice is to end your SPF record with -all (hard fail) to explicitly reject unauthorized senders. During initial setup, ~all (soft fail) can be used while confirming all legitimate senders are covered.

SPF Mechanisms

Mechanism DNS Lookup Description
all No Catch-all default, typically the last mechanism.
ip4 / ip6 No Match specific IP address or CIDR range.
a Yes Match A/AAAA records of the specified domain.
mx Yes Match MX hosts for the specified domain.
include Yes Recursively evaluate another domain's SPF record.
redirect Yes Replace evaluation with another domain's record.
exists Yes Match if an A record exists for the given domain.

Our SPF Supply Chain 2026 study found that 4.8% of SPF-enabled domains exceed the 10-lookup limit and 53.6% still use softfail instead of hardfail.

SPF setup guides by provider

Walk-through guides with the exact records, admin-UI steps, and common-mistake fixes for each provider we cover.

Frequently asked questions

How do I check my SPF record?

Enter your domain. The checker reads the TXT record beginning v=spf1, expands every include, a, mx, and redirect mechanism, and counts the DNS lookups they trigger against the RFC 7208 limit of 10 — the most common cause of SPF PermError.

What is the SPF 10-lookup limit?

RFC 7208 caps an SPF evaluation at 10 DNS-querying mechanisms (include, a, mx, ptr, exists, redirect). Exceeding it returns PermError, which most receivers treat as a failure. Flattening or removing unused includes brings you back under the limit.

What does SPF PermError mean?

PermError signals a permanent problem evaluating SPF — usually more than 10 DNS lookups, multiple SPF records on one domain, or invalid syntax. Receivers cannot determine a result, so the message is treated as unauthenticated. Fix it by flattening includes or merging duplicate records.

Get the full picture with DMARCguard

Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.

Start Free

or compare plans