SPF Record Syntax Inspector
Paste an SPF record (or fetch one from a domain) and get a token-by-token breakdown — every mechanism, every qualifier, every modifier, mapped to its RFC 7208 section with plain-English meaning and the common pitfalls for each.
SPF syntax in one paragraph
An SPF record is a TXT DNS record at the apex of a domain that starts with v=spf1 and lists mechanisms separated by whitespace. Each mechanism may be prefixed with a qualifier — + pass, - hard fail, ~ soft fail, ? neutral. Receivers evaluate left-to-right; the first matching mechanism's qualifier wins. A trailing all token catches everything else and defines the policy for unmatched senders.
The inspector above parses the record into tokens, maps each to its RFC 7208 section, and annotates every common pitfall — missing terminator, +all (no policy), >10 DNS lookups, deprecated ptr, tokens after all that will never be evaluated.
The mechanisms (RFC 7208 §5)
| Mechanism | Costs DNS lookup? | What it matches |
|---|---|---|
all | No | Everything not yet matched. Must be last. |
ip4:<cidr> | No | Client IP within the given IPv4 range. |
ip6:<cidr> | No | Client IP within the given IPv6 range. |
a[:domain[/cidr]] | Yes (1) | Client IP matches A/AAAA of the given domain. |
mx[:domain[/cidr]] | Yes (1, plus sub-lookups) | Client IP matches A/AAAA of any MX record for the domain. |
include:<domain> | Yes (1, plus child lookups) | SPF record at the target domain returns pass. |
exists:<domain> | Yes (1) | Domain has any A record. Usually paired with macros. |
ptr[:domain] | Yes (1) | Deprecated. Reverse-DNS of client IP resolves to a hostname matching the domain. |
The modifiers (RFC 7208 §6)
| Modifier | Costs DNS lookup? | What it does |
|---|---|---|
redirect=<domain> | Yes (1) | Replaces this entire record with the SPF record at the target. Silently ignored if all is also present. |
exp=<domain> | No | Points to a TXT explanation string returned with fail-result SMTP rejections. Most receivers ignore. |
The 10-lookup limit (RFC 7208 §4.6.4)
The SPF specification caps the total DNS lookups a record may trigger at 10. Receivers that exceed the limit return PermError, and DMARC treats PermError as a fail. The mechanisms that consume the budget are include, a, mx, exists, ptr, and redirect=. The inspector above counts as it parses and flags any record that hits 8+ lookups (tight) or exceeds 10 (broken).
When you hit the limit, the fix is either pruning an include chain you no longer use or flattening includes into raw ip4 / ip6 mechanisms — that's what the SPF Flattener does. Flattening is a maintenance trade-off: the record gets static, so when an ESP changes their IP ranges you have to re-flatten.
Qualifier choice — when to use which
~all(soft fail) — accept but mark as suspicious. The recommended starting policy for any domain new to SPF. Google, Microsoft, and Yahoo all accept it for bulk-sender compliance.-all(hard fail) — reject outright. The end-state target once every sender is enrolled. Aggressive — moving to hard fail before SPF coverage is complete will bounce legitimate mail.?all(neutral) — accept with no opinion. Very rare in practice. DMARC reads it as fail-aligned for the SPF half.+all(pass everything) — never use. Equivalent to no SPF at all. Receivers that see this trust mail from any IP claiming the domain.
Related tools
- SPF Record Checker — validity-focused: confirms the record exists, counts lookups, surfaces PermError causes.
- SPF Flattener — the fix for the 10-lookup PermError. Resolves
includechains into raw IP mechanisms. - SPF Generator — build a new SPF record from scratch with provider presets (Google Workspace, Microsoft 365, Mailgun, etc.).
- DMARC Failure Diagnoser — once SPF syntax is sound, this tool identifies which sender is failing alignment.
Read the complete SPF guide to learn more.
Get the full picture with DMARCguard
Continuous monitoring, aggregate report parsing, and actionable insights for all your email authentication protocols.
Start Free