free spf checker
validate email auth
Check and validate SPF records for any domain. Parse mechanisms, detect errors, and ensure your email authentication is properly configured.
What is SPF?
SPF (Sender Policy Framework) is an email authentication method defined in RFC 7208. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain by publishing a special DNS TXT record.
An SPF record starts with v=spf1 followed by a series of mechanisms that define authorized senders. Common mechanisms include ip4: for IPv4 addresses, include: for third-party services, and mx to authorize the domain's own mail servers.
Each mechanism has a qualifier that determines what happens when a match is found. The record typically ends with an all mechanism that defines the default action for IPs not explicitly listed.
How to read SPF results
The SPF checker parses your record into individual mechanisms and displays them in a table with three columns:
- Qualifier — The action: Pass (+), Fail (-), SoftFail (~), or Neutral (?). Determines what happens when an IP matches this mechanism.
- Mechanism — The type of check: ip4, ip6, include, mx, a, all, etc.
- Value — The specific IP, domain, or network associated with the mechanism.
The tool also warns you about common issues like missing SPF records or having multiple SPF records (which violates the RFC and causes authentication failures).
SPF best practices
Keep your SPF record under the 10 DNS lookup limit — use IP addresses when possible
End your SPF record with "-all" (hard fail) in production for maximum protection
Use "include:" to authorize third-party services like Google Workspace, Microsoft 365, or SendGrid
Never publish more than one SPF record per domain — combine all mechanisms into a single record
Regularly audit your SPF record to remove decommissioned servers and outdated includes
Frequently asked questions
What is an SPF record?+
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps receiving servers verify that incoming mail from your domain comes from a server you've approved, reducing spam and spoofing.
How does SPF authentication work?+
When a receiving server gets an email, it checks the sender's domain for an SPF record. It then compares the sending server's IP address against the list of authorized servers in the SPF record. If the IP matches, the email passes SPF; if not, it may be marked as spam or rejected based on the SPF policy.
What do the SPF qualifiers (+, -, ~, ?) mean?+
+ (Pass) means the mechanism authorizes the sender. - (Fail) means the sender is explicitly not authorized and mail should be rejected. ~ (SoftFail) means the sender is probably not authorized but mail should be accepted and flagged. ? (Neutral) makes no assertion about the sender.
What is the SPF 10-lookup limit?+
SPF records are limited to 10 DNS lookups (include, a, mx, ptr, exists mechanisms). This prevents DNS amplification attacks. If your SPF record exceeds 10 lookups, the entire SPF check will fail with a "permerror". Use IP addresses instead of hostnames to reduce lookups.
Should I use -all or ~all in my SPF record?+
Use "-all" (hard fail) when you're confident your SPF record lists all legitimate sending sources. Use "~all" (soft fail) during testing or migration. Most organizations should aim for "-all" as it provides the strongest protection against spoofing.
Can I have multiple SPF records?+
No. RFC 7208 requires exactly one SPF record per domain. If a domain has multiple SPF TXT records, the SPF check will return a "permerror" and fail. If you need to authorize multiple services, combine them into a single SPF record using the "include" mechanism.
How does SPF relate to DKIM and DMARC?+
SPF, DKIM, and DMARC work together for email authentication. SPF validates the sending server, DKIM validates the message content hasn't been altered, and DMARC ties them together by defining what to do when SPF and DKIM checks fail. Implementing all three provides the strongest protection.
Verify email addresses, not just DNS records
SPF checks tell you about domain authentication — VerifyKit tells you if the mailbox actually exists. Verify emails before you send.
Try it free — 14-day money-back guarantee