SPF Record Checker - Check SPF Record - SPF Record Lookup

Use SPF record checker to check if SPF has been set up correctly for a domain.

To learn how to implement SPF/DKIM/DMARC, check out this definitive, step-by-step guide:
How to Implement SPF/DKIM/DMARC to Prevent Email Spoofing/Phishing

Use DMARCLY's Safe SPF feature to fix the "too many DNS lookups" issue:
SPF PermError: too many DNS lookups. When SPF record exceeds 10-DNS-lookup limit.

Enter domain to check SPF record for, e.g., dmarcly.com
  Check SPF Record


Found SPF record in DNS:

SPF record resolution:

Flattened SPF record:


Mechanisms | Modifiers
Mechanism Explanation
all This mechanism always matches. It usually goes at the end of the SPF record.
include The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive.
ip4 The argument to the "ip4:" mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address).
ip6 The argument to the "ip6:" mechanism is an IPv6 network range. If no prefix-length is given, /128 is assumed (singling out an individual host address).
a All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead.
mx All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches.
ptr The hostname or hostnames for the client IP are looked up using PTR queries. The hostnames are then validated: at least one of the A records for a PTR hostname must match the original client IP. Invalid hostnames are discarded. If a valid hostname ends in domain, this mechanism matches.
exists Perform an A query on the provided domain. If a result is found, this constitutes a match.
redirect For a modifier redirect=domain, the SPF record for domain replaces the current record.

Help on SPF record checker

The SPF record checker, aka SPF record validator/tester, checks if an SPF record is published on a domain, and if the SPF record's syntax is correct. It also features a DNS lookup counter.

To run an SPF check, enter the domain in question, and it will fetch the SPF record (if any) from the DNS. After the record is returned, it:

  • checks if the SPF record syntax is correct;
  • makes sure the number of mechanisms and modifiers that do DNS lookups does not exceed ten;
  • "flattens" the returned SPF record into a list of plain IP addresses, so that you can check them one by one, in case it's necessary. This is helpful when you need to track down some gnarly SPF issues.

SPF is an email security protocol which checks if an email message is sent from a host on the whitelist specified by the domain's admin.

An SPF record is a TXT record published on the domain starting with "v=spf1". It specifies a list of IP addresses where email messages are allowed to sent on behalf of that domain.

An SPF mechanism is a way to specify a range of IP addresses. These mechanisms are available in SPF: IP4, IP6, A, MX, PTR, EXISTS, INCLUDE, and ALL.

An SPF qualifier specifies the result of a mechanism evaluation. These qualifiers are available in SPF: +, ?, ~, and -.

Here is an example SPF record:

v=spf1 include:_spf.example.com -all

This record allows any host with an IP address specified in the SPF record of _spf.example.com to send emails on behalf of a domain.

An SPF record check fetches the SPF record on a domain you entered, and performs various checks on its syntax, validity, and DNS lookups, to make sure your SPF record works as expected.

The SPF specification requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.

The SPF checker calculates the number of DNS lookups in your SPF record, and warns you if your record exceeds that limit.

When your SPF record exceeds the 10-DNS-lookup limit, your legit emails will fail SPF authentication, and it will have a negative impact on your email deliverability.

DMARCLY's Safe SPF feature "flattens" your SPF record to make sure it never exceed the 10-DNS-lookup limit. It doesn't matter how many 3rd-party services you have in your SPF record: Safe SPF has you covered.

In addition, Safe SPF constantly monitors your SPF record for underlying service updates: even a service in your SPF record incurs extra DNS lookups without your knowledge, you can rest assured that your SPF record never exceeds the limit!