Free tool
SPF Record Checker
Look up a domain's SPF record, see which servers are authorized to send its mail, and catch the errors that silently break protection — the 10-lookup limit, a missing or weak all-qualifier, and duplicate records.
Live DNS lookup via DNS-over-HTTPS. We only read public DNS records.
What the SPF check validates
The tool looks up your domain's TXT records, isolates the one beginning with v=spf1, and checks the two things that most often break SPF:
- The 10-lookup limit — too many
include:statements push you over the cap and cause a permerror. - The all qualifier — whether unlisted senders are rejected (
-all), softly failed (~all), or dangerously allowed (+all).
It also flags the invalid case of multiple SPF records on one domain.
SPF is necessary but not sufficient
SPF authenticates the envelope sender, not the visible From: address — so on its own it doesn't stop display-name spoofing. It works as one of the two checks (with DKIM) that DMARC aligns to the From: domain. Build a clean record with the SPF generator.
Frequently asked questions
What is an SPF record?
SPF (Sender Policy Framework) is a TXT record that lists which mail servers and IP addresses are allowed to send email for your domain. Receiving servers check it to detect forged senders. It starts with v=spf1 and ends with an 'all' mechanism that sets what happens to unlisted senders.
What is the SPF 10-lookup limit?
SPF allows a maximum of 10 DNS-lookup mechanisms (include, a, mx, ptr, exists, redirect) when it's evaluated. Exceed it and SPF returns a permerror, which can cause legitimate mail to fail authentication. Flatten or consolidate includes to stay under the limit.
What does ~all vs -all mean?
The qualifier on 'all' decides enforcement: -all (hard fail) tells receivers to reject mail from any server not listed; ~all (soft fail) marks it as suspicious but still accepts it; ?all (neutral) does nothing; +all authorizes everyone and must never be used. Aim for -all once you're confident every legitimate source is listed.
Can I have more than one SPF record?
No. A domain must publish exactly one SPF record. Two or more v=spf1 records is invalid and causes a permerror, effectively breaking SPF. Merge all your includes and mechanisms into a single record.
Related free tools
Email authentication
DMARC Record Checker
Look up a domain's published DMARC record and grade the policy that decides whether spoofed mail gets rejected.
Email authentication
DKIM Record Checker
Enter a domain and selector to fetch and validate the DKIM public key that proves your mail wasn't tampered with.
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
Authenticated email is step one.
PhishEye covers the impersonation email auth can't — lookalike domains, scam sites, and fake apps abusing your brand.