SPF Record Validator Tool
SPF Validator is a security utility used to verify the Sender Policy Framework record of a domain. It ensures that your authorized mail servers are correctly identified and prevents unauthorized spoofing.
Analyze your Sender Policy Framework (SPF) records. Detect syntax errors, verify mechanism alignment, and prevent email spoofing.
Type a domain to check DNS records.
What is an SPF Record?
SPF (Sender Policy Framework) is an email authentication protocol that allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. It is one of the three pillars of email security, alongside DKIM and DMARC, designed to prevent spammers from "spoofing" your domain name to send fraudulent emails.
When you send an email, the receiving server looks up the SPF record in your domain's DNS. If the IP address of the server that sent the email is listed in your SPF record, the email is considered authentic. If it's not, the email may be flagged as spam or rejected entirely, protecting your domain's reputation and your recipients" security.
Understanding SPF Syntax
An SPF record always starts with v=spf1 and is followed by various mechanisms and qualifiers.
Common Mechanisms:
- ip4 / ip6: Specific IP addresses or ranges. See our A/AAAA Lookup for IP mapping.
- a / mx: Authorizes the domain's A or MX records.
- include: Authorizes a third-party service (like Google or Mailchimp).
- all: Defines the policy for all other senders (always at the end).
Qualifiers: Pass or Fail?
The sender is authorized. (Default if prefix is missing).
Hard fail. The email should be outright rejected.
The email is suspect. Mark as spam but don't reject.
No policy stated. Treat as if no SPF record exists.
The 10-DNS Lookup Limit
One of the most common SPF configuration errors is exceeding the 10-DNS lookup limit. To prevent DDoS attacks on DNS servers, the SPF specification (RFC 7208) limits the number of DNS lookups a validator can perform to 10.
Mechanisms like include, a, mx, ptr, and exists all count toward this limit. If your record requires more than 10 lookups, it will return a PermError, and your SPF validation will fail, potentially causing your emails to be blocked.
The Trio of Trust
SPF alone isn't perfect. It can break when emails are forwarded. This is why DKIM (DomainKeys Identified Mail) was invented—it uses cryptographic signatures to ensure the email content hasn't been changed.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties them both together. It tells receiving servers what to do if SPF or DKIM fails (Reject vs. Quarantine) and provides reports back to the domain owner about who is sending mail from their domain.
Frequently Asked Questions
Can I have multiple SPF records?
No. Your domain must only have ONE SPF record. If you have multiple records starting with v=spf1, they will all be invalidated, and SPF checks will return a PermError. You must combine all your mechanisms into a single record.
Is SPF sufficient to stop phishing?
No. SPF validates the "Return-Path" address (the technical sender), but not the "From" address displayed to the user. Spammers can use their own domain in the Return-Path to pass SPF while still spoofing your name in the From field. This is why DMARC is essential—it requires alignment between SPF/DKIM and the visible From address.
What does "-all" vs "~all" mean?
-all (Hard Fail) tells the recipient to reject any mail not from your authorized IPs. ~all (Soft Fail) tells them to accept it but mark it as suspicious. Verify your final delivery with our DMARC Checker.
Stay Validated
Adding a third-party service like Slack, Intercom, or Zendesk? Don't forget to update your SPF record first. Use this validator tool to ensure your syntax remains perfect and you haven't tripped the 10-lookup wire.