EmailAudit.io

SPF Record Checker

Validate your Sender Policy Framework record — mechanisms, DNS lookup count, and enforcement strength.

What is SPF?

Sender Policy Framework (SPF) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain. Without a valid SPF record, your emails may be rejected or marked as spam by receiving mail servers.

Common SPF Issues

  • +all or ~all — allows any server to send, reducing protection
  • More than 10 DNS lookups — causes SPF to perma-fail at receiving servers
  • Multiple SPF records — only one TXT record starting with v=spf1 is allowed
  • ptr mechanism — deprecated and slow, remove it

Frequently Asked Questions

What is an SPF record and why do I need one?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. Receiving mail servers check SPF to verify the sending server is allowed. Without a valid SPF record, your emails may be rejected or marked as spam, and your domain is easier to spoof in phishing attacks.

What happens if my SPF record has more than 10 DNS lookups?

SPF has a hard limit of 10 DNS lookups per check. Exceeding this limit causes a permanent error (permerror), meaning SPF fails regardless of your actual sending infrastructure. This is a common misconfiguration for domains that use multiple email services — CRMs, marketing platforms, and helpdesk tools each add to the lookup count. The fix is to flatten include: mechanisms into direct IP ranges.

What does -all vs ~all vs +all mean in SPF?

-all (hard fail) tells receiving servers to reject mail from unlisted senders. ~all (soft fail) marks it as suspicious but still delivers it. +all (pass all) allows any server to send on your domain's behalf — this completely undermines SPF security and is never recommended. Use -all once all legitimate senders are listed in your record.

Can a domain have multiple SPF records?

No. Having more than one DNS TXT record starting with v=spf1 causes an SPF permanent error. Only one SPF record is allowed per domain. If you need to include multiple sending services, combine them into a single record using include: mechanisms or direct IP address ranges.

How do I fix an SPF record that is failing?

Common fixes include: reducing DNS lookups below 10 by flattening include: mechanisms into direct IP ranges; removing the deprecated ptr mechanism; merging multiple SPF records into one; changing +all or ~all to -all for stronger enforcement; and adding any missing mail servers or third-party sending services. Run this checker to identify which specific issue applies to your domain.