Free SPF Checker - Validate Your SPF Record Instantly

Understanding SPF Records: The Complete Guide

SPF (Sender Policy Framework) is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. Published as a DNS TXT record, SPF helps receiving mail servers verify that incoming email from your domain comes from an authorized source.

How SPF Works

When an email arrives, the receiving server checks the sender's domain for an SPF record. It then compares the sending server's IP address against the list of authorized servers in the SPF record. If there's a match, SPF passes. If not, the SPF result depends on your policy qualifier.

An SPF record starts with v=spf1 and contains mechanisms that define authorized senders:

• ip4/ip6 - Authorize specific IP addresses or ranges
• include - Reference another domain's SPF record (e.g., include:_spf.google.com)
• a - Authorize the domain's A record IP
• mx - Authorize the domain's mail servers
• all - The catch-all mechanism that defines what happens to non-matching senders

The Critical 10 DNS Lookup Limit

SPF has a strict limit of 10 DNS lookups to prevent infinite loops and reduce server load. Each include, a, mx, ptr, exists, and redirect mechanism counts toward this limit. Exceeding 10 lookups causes SPF to fail with a "permerror" result.

This limit is the most common SPF problem for organizations using multiple email services. Each service you add (Google Workspace, Microsoft 365, Mailchimp, Salesforce, etc.) typically requires an include statement, quickly consuming your lookup budget.

SPF Qualifiers: -all vs ~all vs +all

The qualifier before all determines how strictly your SPF policy is enforced:

• -all (Hard Fail) - Recommended. Tells receivers to reject emails from unauthorized servers.
• ~all (Soft Fail) - Marks unauthorized emails as suspicious but still delivers them. Use during testing.
• ?all (Neutral) - No policy. SPF provides no guidance on unauthorized senders.
• +all (Pass) - DANGEROUS. Authorizes ANY server to send as your domain. Never use this.

How to Reduce DNS Lookups

If you're hitting the 10-lookup limit, here are strategies to reduce your count:

1. SPF Flattening - Replace include mechanisms with the actual IP addresses they resolve to. This removes the DNS lookup but requires maintenance when IPs change.
2. Remove unused includes - Audit your SPF record and remove services you no longer use.
3. Use ip4/ip6 directly - If a service has stable IPs, use them directly instead of an include.
4. Consolidate services - Some providers share SPF records. Check if you can reduce redundant includes.

SPF Best Practices

• One SPF record per domain - Multiple SPF records cause a permerror. Combine all senders into one record.
• Keep it under 255 characters - DNS TXT records have size limits. Use multiple strings if needed.
• Avoid the ptr mechanism - It's slow, unreliable, and deprecated. Use ip4/ip6 instead.
• Test before deploying - Use SPF validators to check syntax and lookup count before publishing.
• Monitor regularly - Email services change their IPs. Flattened records need periodic updates.

SPF Alone Isn't Enough

SPF only authenticates the envelope sender (Return-Path), not the visible From address. This means SPF alone can't prevent display-name spoofing. For complete protection, combine SPF with DKIM (cryptographic signing) and DMARC (policy enforcement). Together, these three protocols form the foundation of modern email authentication.