Loading...
Please wait while we prepare your tools
Please wait while we prepare your tools
Analyze and validate SPF (Sender Policy Framework) records for email authentication and anti-spoofing protection.
Our advanced SPF (Sender Policy Framework) checker provides comprehensive analysis of your domain's email authentication records. Validate SPF syntax, check DNS lookup limits, identify void lookups, and ensure proper email security configuration to prevent spoofing and improve deliverability.
Sender Policy Framework (SPF) is an email authentication protocol defined in **RFC 7208**. It allows the owner of a domain to specify which mail servers are authorized to send emails on behalf of their domain. Receiving mail servers check the domain's SPF record in DNS during SMTP sessions to verify whether the sending server's IP address matches the domain's authorized list.
SPF authentication is performed against the domain found in the SMTP session's Return-Path header (also known as the Envelope-From or Mail From address), rather than the domain shown in the user-facing From: header.
An SPF record is published as a single DNS TXT record at the root of a domain. Here is a typical example:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all
Let's break down this record's components:
The most common configuration error in SPF records is exceeding the **10-DNS-lookup limit**. Under the SPF RFC specification, a receiving server will abort evaluation and return an SPF PermError if validating your SPF record requires more than 10 nested DNS lookups.
Mechanisms that trigger a DNS lookup include include, a, mx, ptr, exists, and redirect. Mechanisms that do *not* count against the limit include ip4, ip6, and all.
If you use multiple SaaS services (e.g. Salesforce, SendGrid, HubSpot, Google Workspace), their combined nested includes will easily exceed the 10-lookup limit. When this happens, major inbox providers (like Gmail and Outlook) reject your SPF record, routing your emails straight to spam folders.
marketing.yourdomain.com) instead of your apex domain. This gives them their own isolated SPF limit.ip4 or ip6) of those services.Analyze your domain's SPF records with our professional-grade tool. Check SPF syntax, validate mechanisms, monitor DNS lookup limits, detect void lookups, and ensure optimal email authentication configuration. Perfect for email administrators, security professionals, and domain managers.
An SPF record is a DNS TXT record that lists the authorized IP addresses and domains allowed to send email messages on behalf of your domain name.
A SoftFail indicates that the sending IP is not authorized, but the receiver should not reject the email outright. Instead, they should tag or flag it (often routing it to the spam folder) for further analysis.
An SPF PermError (Permanent Error) occurs if the record contains syntax errors, if the domain has multiple SPF records, or if the evaluation process exceeds the limit of 10 DNS lookups.
The SPF specification requires that receiving servers find exactly one SPF record. If multiple records are found, the validation will fail immediately with a PermError. Merge all rules into a single record.
-all (HardFail) instructs receiving servers to reject any unauthorized emails immediately. ~all (SoftFail) advises servers to accept unauthorized emails but mark them as suspicious.
A void lookup occurs when a DNS query triggered by an SPF mechanism (such as a or include) returns no results (no IP record exists). Exceeding 2 void lookups in a single session triggers an SPF PermError.
Validate email addresses for syntax, domain, and deliverability
Validate DKIM records for email authentication and integrity
Analyze email headers for security and authentication details
Check DMARC policies and email authentication alignment
Look up mail exchange records for domain email routing
Comprehensive email deliverability and reputation analysis