SPF Record Lookup

Look up a domain's SPF TXT record and check syntax.

SPF (Sender Policy Framework) is a standard that uses a DNS TXT record to declare which mail servers are allowed to send email for your domain. This tool looks up a domain's SPF record in real time, shows the raw value, and breaks down each mechanism — include, ip4, ip6, a, mx, redirect and all — so you can see at a glance which senders are authorized and how the final all policy is set.

A missing or misconfigured SPF record lets legitimate mail land in spam, or makes it easier for someone to spoof your domain. In particular, having more than one SPF record is a standards violation that can fail validation outright, so this tool flags that case with a warning. Just enter a domain — no protocol or path needed.

Domaine.g. example.com (domain only, no protocol or path)

SPF mechanisms at a glance

ip4 / ip6: an IPv4/IPv6 address or range (CIDR) allowed to send
a / mx: authorize the domain's A record or MX servers as senders
include: pull in another domain's SPF policy (e.g. an email SaaS)
redirect: delegate SPF evaluation to another domain
all: the policy for any sender not matched above

The all policy is what matters

SPF usually ends with all, and the qualifier in front of it decides the policy. -all (hard fail) tells receivers to reject unauthorized senders, while ~all (soft fail) is a lenient policy that lets suspicious mail through but marks it. ?all (neutral) and +all (pass all) offer essentially no protection and are not recommended. Once operations are stable, tightening from ~all to -all is a good move.

Things to watch out for

SPF allows at most 10 DNS lookups in total (include, a, mx, redirect, etc.); exceeding this causes a permerror that invalidates SPF. Avoid deeply nesting too many includes — see how many lookups you currently use with SPF Lookup Counter. Also, a domain must have exactly one SPF record — combine multiple sending services into a single SPF using include rather than adding separate records. SPF works best alongside DKIM (DKIM Record Lookup) and DMARC (DMARC Record Lookup); to assess all three at once, use Email Deliverability Check.

Frequently asked questions

Where do I publish the SPF record?

As a TXT record on the domain root (e.g. example.com) in the form "v=spf1 ...". The old dedicated SPF record type is deprecated; use TXT.

What happens if there are two SPF records?

If a domain has more than one TXT record starting with v=spf1, it is a standards violation (permerror) and SPF validation can fail. You must merge them into one. This tool warns you when multiple records are found.

Should I use ~all or -all?

When first adopting SPF, start with ~all (soft fail) so legitimate mail isn't blocked. Once every valid sender is in your SPF and things are stable, tighten to -all (hard fail).

Does SPF alone fully stop spoofing?

No. SPF only validates the sending IP. For strong anti-spoofing you should also set up DKIM signing and a DMARC policy alongside SPF.

Is the domain I enter sent to third parties?

The lookup queries a trusted public DNS resolver for the domain name through our server, and results are briefly cached. We don't sell logs or share with third parties.

Related tools

Email →

Email Bounce Code Decoder

Explain 4xx/5xx SMTP bounce codes and how to fix them.

Email Header Analyzer

Analyze mail headers: hops, delays and SPF/DKIM/DMARC results.

DMARC Record Generator

Generate a DMARC TXT record from policy and report settings.

DMARC Record Lookup

Look up the _dmarc TXT record and explain its policy and tags.

DKIM Record Lookup

Look up the selector._domainkey TXT record for a DKIM public key.

Email Blacklist (DNSBL) Check

Check whether an IP is listed on major DNSBL blacklists.