Arsal • Location • Starter
Why teams use this SPF checker
See whether v=spf1 exists, parse every mechanism, and confirm the record is well-formed before mail receivers reject it.
RFC 7208 caps SPF DNS lookups at 10. We count direct and nested includes so you know exactly where the budget is going.
Detects +all, missing all, and ?all configurations that allow spoofing or weaken your DMARC policy.
Resolves include: chains so you can see which providers (Google, Microsoft 365, SendGrid, Mailgun, etc.) are actually authorized.
SPF is one of three pillars of email auth. Use this tool alongside DMARC and DKIM to lock down your domain reputation.
Clean, readable output that you can share with clients and email vendors when troubleshooting bounced mail.
How it works
We resolve the TXT records of your domain and find the SPF record (the one starting with v=spf1).
Every include, ip4, ip6, a, mx, redirect, exists, ptr and the all qualifier is broken down with its qualifier.
We count DNS lookups, detect duplicate SPF records, and warn on +all, missing all, and other risky configurations.
Note: this tool only inspects what is publicly resolvable in DNS. It does not modify or push records. Use the warnings as guidance, then update SPF in your DNS provider (Cloudflare, Route 53, GoDaddy, cPanel, etc.).
The best out there
An SPF (Sender Policy Framework) record is a TXT DNS record that starts with v=spf1. It tells receiving mail servers which IPs and hosts are allowed to send email on behalf of your domain, which helps reduce spoofing and improves deliverability.
Enter a domain and the tool fetches its TXT records, locates the v=spf1 record, parses each mechanism (include, ip4, ip6, a, mx, redirect, exists), and counts DNS lookups against the RFC 7208 limit of 10. It also flags missing or unsafe all qualifiers.
RFC 7208 limits SPF evaluation to 10 DNS lookups. Mechanisms like include, a, mx, exists, redirect and ptr count toward the limit. Exceeding it causes a permerror and many receivers will reject your mail.
Use ~all (SoftFail) while you are still rolling out or auditing SPF, then move to -all (HardFail) once every legitimate sender is in the record. Avoid +all because it allows anyone to send mail as your domain.
No. RFC 7208 requires exactly one v=spf1 record per domain. If multiple SPF records exist, receivers must treat the lookup as permerror. Merge them into a single SPF record.