ArsalLocationStarter

Free No account needed
RFC 7208 Validates against the standard
Useful Improves email deliverability
Hostcry Icon

Why teams use this SPF checker

Diagnose deliverability and spoofing risks before email starts failing

Validate SPF syntax instantly

See whether v=spf1 exists, parse every mechanism, and confirm the record is well-formed before mail receivers reject it.

Stay under the 10-lookup limit

RFC 7208 caps SPF DNS lookups at 10. We count direct and nested includes so you know exactly where the budget is going.

Catch unsafe policies early

Detects +all, missing all, and ?all configurations that allow spoofing or weaken your DMARC policy.

Inspect nested includes

Resolves include: chains so you can see which providers (Google, Microsoft 365, SendGrid, Mailgun, etc.) are actually authorized.

Pair it with DMARC and DKIM

SPF is one of three pillars of email auth. Use this tool alongside DMARC and DKIM to lock down your domain reputation.

Built for support and ops

Clean, readable output that you can share with clients and email vendors when troubleshooting bounced mail.

When this SPF checker helps most

  • Email is going to spam or being rejected as spoofed
  • Adding a new sending source like SendGrid or Mailgun
  • Migrating between Google Workspace and Microsoft 365
  • Rolling out DMARC and need a clean SPF first
  • Auditing client domains during agency onboarding

What makes this tool more useful than dig

  • Parses every SPF mechanism into a readable view
  • Counts DNS lookups for you so you do not exceed the limit
  • Highlights warnings, errors, and unsafe qualifiers
  • Resolves nested includes one level deep automatically
  • Free, instant, and works for any public domain

How it works

SPF validation in three steps

01

Fetch TXT records

We resolve the TXT records of your domain and find the SPF record (the one starting with v=spf1).

02

Parse each mechanism

Every include, ip4, ip6, a, mx, redirect, exists, ptr and the all qualifier is broken down with its qualifier.

03

Validate against RFC 7208

We count DNS lookups, detect duplicate SPF records, and warn on +all, missing all, and other risky configurations.

Note: this tool only inspects what is publicly resolvable in DNS. It does not modify or push records. Use the warnings as guidance, then update SPF in your DNS provider (Cloudflare, Route 53, GoDaddy, cPanel, etc.).

#

The best out there

FAQ

An SPF (Sender Policy Framework) record is a TXT DNS record that starts with v=spf1. It tells receiving mail servers which IPs and hosts are allowed to send email on behalf of your domain, which helps reduce spoofing and improves deliverability.

Enter a domain and the tool fetches its TXT records, locates the v=spf1 record, parses each mechanism (include, ip4, ip6, a, mx, redirect, exists), and counts DNS lookups against the RFC 7208 limit of 10. It also flags missing or unsafe all qualifiers.

RFC 7208 limits SPF evaluation to 10 DNS lookups. Mechanisms like include, a, mx, exists, redirect and ptr count toward the limit. Exceeding it causes a permerror and many receivers will reject your mail.

Use ~all (SoftFail) while you are still rolling out or auditing SPF, then move to -all (HardFail) once every legitimate sender is in the record. Avoid +all because it allows anyone to send mail as your domain.

No. RFC 7208 requires exactly one v=spf1 record per domain. If multiple SPF records exist, receivers must treat the lookup as permerror. Merge them into a single SPF record.

Explore more free utilities

Need more diagnostics for your website?

Run speed, SEO, malware, SSL, DNS, and IP checks from one place.

View all tools