SPF Check
Check the SPF record for any domain across 12 global DNS resolvers. Free real-time DNS propagation checker.
What is SPF?
SPF (Sender Policy Framework) is the oldest of the three email-authentication standards. It lets a domain publish, in DNS, the list of IPs and providers authorized to send mail on its behalf. Receiving servers check the connecting IP against the SPF record and accept, soft-fail, or reject accordingly.
SPF lives at the apex of your domain as a TXT record. Type your bare domain above: we'll query its TXT records and you'll spot the one starting with v=spf1.
Anatomy of an SPF record
A typical SPF record looks like: v=spf1 include:_spf.google.com include:mailgun.org ~all. Reading left to right:
v=spf1: version marker.- Mechanisms:
ip4:,ip6:,a,mx,include:<domain>,exists:, etc. Each authorizes one source. - Qualifier prefixes:
+(pass, default),-(fail/reject),~(softfail/spam-flag),?(neutral). - The "all" mechanism at the end: typically
~all(softfail anything else) or-all(reject anything else).+allis dangerous: it authorizes the whole internet.
Common errors and pitfalls
- 10 DNS-lookup limit exceeded: each
include:+ every nested lookup counts toward a hard cap of 10. Stacking Google + Mailchimp + HubSpot + Salesforce blows it, and SPF stops working entirely (PermError). - Two SPF records on the same name: RFC-illegal. Some receivers return PermError; merge into one.
- SPF ending in
+all: neutralizes the whole point. Almost always a typo or test record left behind. - SPF survives forwarding poorly: when mail is forwarded, the forwarder's IP isn't in your SPF, so SPF fails. That's why DMARC requires either SPF or DKIM to pass and align.
FAQ
How do I reduce my SPF lookup count?
Audit your include: chain: many providers publish flattened lists you can substitute (e.g., directly include their IPs as ip4: mechanisms). Alternatively, services like Valimail offer SPF flattening as a managed product.
Is ~all or -all better?
~all is the cautious choice: failing mail is marked as suspicious but not outright rejected. -all tells receivers to reject. If you're confident your SPF is complete, use -all.
Background reading
See the SPF glossary entry, plus DKIM and DMARC for the full picture. The DNS Records Explained guide connects them.