/ developer & network toolbox
← all tools

$ spf

server-side

SPF Checker

Look up a domain's SPF record, parse its mechanisms and flag the 10-lookup limit.

spf — invoker.tools

About the SPF Checker

This SPF checker looks up a domain's SPF record from its TXT entries and parses the mechanisms it contains — include, a, mx, ip4, ip6, redirect and more. It counts the mechanisms that trigger DNS lookups against the RFC 7208 limit of 10, so you can catch a record that will fail with a permerror, and it flags the all qualifier so you know whether the policy is soft (~all), hard (-all) or dangerously permissive (+all).

The lookups run server-side against public resolvers. Use it when setting up email authentication, debugging why mail is failing SPF, or auditing whether your record stays within the lookup limit after adding another include. Sender Policy Framework tells receivers which servers may send mail for your domain.

How to use it

  1. Enter the domain whose SPF record you want to check.
  2. Submit to fetch and parse the SPF TXT record.
  3. Review each mechanism and its qualifier in the parsed output.
  4. Check the DNS-lookup count stays at or under the limit of 10.
  5. Confirm the all qualifier matches the policy you intend (~all or -all).

Examples

  • v=spf1 include:_spf.google.com ~all -> uses Google's servers with a soft-fail default; counts as one of your DNS lookups.
  • A record with several includes reaching 11 lookups -> flagged as exceeding the RFC 7208 limit of 10, which causes a permerror.
  • v=spf1 +all -> flagged as insecure because it authorizes any server to send for the domain.

Frequently asked questions

What is an SPF record?

SPF (Sender Policy Framework) is a TXT DNS record listing which mail servers are allowed to send email for your domain. Receivers use it to detect forged senders.

Why is there a 10 DNS-lookup limit?

RFC 7208 caps SPF evaluation at 10 mechanisms that require DNS lookups (include, a, mx, ptr, exists, redirect) to limit load. Exceeding it produces a permerror and SPF fails.

What is the difference between ~all and -all?

~all is a soft fail that marks unauthorized mail as suspicious but usually still accepts it, while -all is a hard fail telling receivers to reject it. +all allows anyone and should be avoided.

How do I reduce my SPF DNS lookups?

Flatten or remove unused includes, replace some with direct ip4/ip6 mechanisms, and consolidate providers. This keeps the lookup count safely under 10.

Can a domain have more than one SPF record?

No. A domain must publish exactly one SPF TXT record; multiple SPF records cause a permerror. Combine entries into a single v=spf1 record.

Does this tool send my domain to a third party?

The SPF lookup runs on our server against public resolvers like 1.1.1.1 and 8.8.8.8. It only reads your published TXT records and does not store or share them.

More email / dns tools

DMARC CheckerMX LookupDKIM CheckerEmail Header Analyzer