SPF Record Checker - Check SPF Record - SPF Record Lookup
Use SPF record checker to check if SPF has been set up correctly for a domain.
To learn how to implement SPF/DKIM/DMARC, check out this definitive, step-by-step guide:
How to Implement SPF/DKIM/DMARC to Prevent Email Spoofing/Phishing
Use DMARCLY's Safe SPF feature to fix "SPF PermError: too many DNS lookups":
SPF PermError: too many DNS lookups. When SPF record exceeds 10-DNS-lookup limit.
Warning!
Tip
The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY's Safe SPF feature to fix this issue.
Success!
Everything appears fine with your SPF record.
Tip
The SPF record exceeds the 10 DNS query limit, which results in deteriorated email deliverability. Use DMARCLY's Safe SPF feature to fix this issue.
Found SPF record in DNS:
SPF record resolution:
Flattened SPF record:
Mechanisms | Modifiers
Mechanism | Explanation |
---|---|
all | This mechanism always matches. It usually goes at the end of the SPF record. |
include | The specified domain is searched for a match. If the lookup does not return a match or an error, processing proceeds to the next directive. |
ip4 | The argument to the "ip4:" mechanism is an IPv4 network range. If no prefix-length is given, /32 is assumed (singling out an individual host address). |
ip6 | The argument to the "ip6:" mechanism is an IPv6 network range. If no prefix-length is given, /128 is assumed (singling out an individual host address). |
a | All the A records for domain are tested. If the client IP is found among them, this mechanism matches. If the connection is made over IPv6, then an AAAA lookup is performed instead. |
mx | All the A records for all the MX records for domain are tested in order of MX priority. If the client IP is found among them, this mechanism matches. |
ptr | The hostname or hostnames for the client IP are looked up using PTR queries. The hostnames are then validated: at least one of the A records for a PTR hostname must match the original client IP. Invalid hostnames are discarded. If a valid hostname ends in domain, this mechanism matches. |
exists | Perform an A query on the provided domain. If a result is found, this constitutes a match. |
redirect | For a modifier redirect=domain, the SPF record for domain replaces the current record. |
Help on SPF record checker
The SPF record checker, aka SPF record validator/tester, checks if an SPF record is published on a domain, and if the SPF record's syntax is correct. It also features a DNS lookup counter.
To run an SPF check, enter the domain in question, and it will fetch the SPF record (if any) from the DNS. After the record is returned, it:
- checks if the SPF record syntax is correct;
- makes sure the number of mechanisms and modifiers that do DNS lookups does not exceed 10;
- "flattens" the returned SPF record into a list of plain IP addresses, so that you can check them one by one, in case it's necessary. This is helpful when you need to track down some gnarly SPF issues.
SPF is an email security protocol which checks if an email message is sent from a host on the whitelist specified by the domain's admin.
An SPF record is a TXT record published on the domain starting with "v=spf1". It specifies a list of IP addresses where email messages are allowed to sent on behalf of that domain.
An SPF mechanism is a way to specify a range of IP addresses. These mechanisms are available in SPF: IP4, IP6, A, MX, PTR, EXISTS, INCLUDE, and ALL.
An SPF qualifier specifies the result of a mechanism evaluation. These qualifiers are available in SPF: +, ?, ~, and -.
Here is an example SPF record:
v=spf1 include:_spf.example.com -all
This record allows any host with an IP address specified in the SPF record of _spf.example.com to send emails on behalf of a domain.
An SPF record check fetches the SPF record on a domain you entered, and performs various checks on its syntax, validity, and DNS lookups, to make sure your SPF record works as expected.
The SPF specification requires that the number of mechanisms and modifiers that do DNS lookups must not exceed 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.
The SPF checker calculates the number of DNS lookups in your SPF record, and warns you if your record exceeds that limit.
This tool can flatten SPF records for free for you. Simple enter your SPF record, click the Check SPF Record button, then scroll down to the Flattened SPF record section below to find the flattened SPF record.
However, since ISP's change their IP addresses frequently, the flattened IP addresses change accordingly. You'd have to update your SPF in the DNS manually, which equals burdensome and error-prone maintenance work.
To automate this updating process, you can use our automatic/dynamic SPF record flattening service.
When your SPF record exceeds the 10-DNS-lookup limit, your legit emails will fail SPF authentication, and it will have a negative impact on your email deliverability.
DMARCLY's Safe SPF feature "flattens" your SPF record to make sure it never exceed the 10-DNS-lookup limit. It doesn't matter how many 3rd-party services you have in your SPF record: Safe SPF has you covered.
In addition, Safe SPF constantly monitors your SPF record for underlying service updates: even a service in your SPF record incurs extra DNS lookups without your knowledge, you can rest assured that your SPF record never exceeds the limit!
Learn more about Safe SPF.