Free SPF Record Lookup Tool — Check Your Domain's Email Authentication
9 min read · Updated April 2026
Your SPF record is the first line of defense in email authentication. If it's misconfigured — or missing entirely — every email you send is at risk of landing in spam. Use our free SPF lookup tool to check your domain in seconds.
Key Takeaways
- ▸ SPF tells receiving servers which IPs are authorized to send email for your domain
- ▸ Exceeding the 10-lookup limit causes SPF to fail silently on every email
- ▸ Use
-all(hard fail) instead of~all(soft fail) for stronger protection - ▸ Missing third-party includes (Smartlead, Google, SendGrid) cause authentication failures
- ▸ The free SPF lookup tool parses your record and flags issues instantly
Table of Contents
SPF (Sender Policy Framework) is one of the three core email authentication protocols — alongside DKIM and DMARC — that determine whether your emails reach the inbox or get rejected. For outbound email teams managing multiple sending domains, verifying your SPF configuration is not optional. A single misconfigured record can silently break authentication for every email sent from that domain.
What Is SPF and Why Does It Matter?
SPF is a DNS-based email authentication protocol defined in RFC 7208. It allows domain owners to declare which mail servers are authorized to send email on behalf of their domain. When a receiving server gets an email, it checks the sender's domain for an SPF record — a TXT record published in DNS — and verifies whether the originating IP address is listed as an authorized sender.
If the sending IP matches an entry in the SPF record, the email passes SPF authentication. If it doesn't, the receiving server takes action based on the qualifier specified in the record: reject the email (-all), mark it as suspicious (~all), or allow it through (+all, which you should never use).
Since February 2024, Google and Yahoo require all bulk senders to have a valid SPF record. Domains without SPF will have their emails throttled or outright rejected by these providers. For outbound teams running cold email campaigns through platforms like Smartlead or Instantly, this makes SPF a non-negotiable requirement for every sending domain.
How SPF Works Under the Hood
An SPF record is a single TXT record published at the root of your domain. It starts with v=spf1 and contains a series of mechanisms that define authorized senders. Here's an example:
# Example SPF record for a domain using Google Workspace and Smartlead
v=spf1 include:_spf.google.com include:_spf.smartlead.ai -all
Each include: mechanism tells receiving servers to also check the referenced domain's SPF record for authorized IPs. This is how third-party email services like Google Workspace, SendGrid, and Smartlead get authorization to send on your behalf. The -all at the end tells receivers to reject any IP not explicitly authorized.
SPF Mechanism Types
- ●
include:— Checks another domain's SPF record (counts as a DNS lookup) - ●
ip4:/ip6:— Authorizes a specific IP address or CIDR range (no lookup cost) - ●
a— Authorizes the domain's A record IP (counts as a lookup) - ●
mx— Authorizes IPs from the domain's MX records (counts as a lookup) - ●
redirect=— Delegates SPF evaluation to another domain entirely
The critical constraint to understand is the 10-lookup limit. Every include, a, mx, and redirect mechanism triggers a DNS lookup. If the total number of lookups exceeds 10 — including nested lookups within included records — SPF evaluation returns a PermError and the check fails. This failure is silent: you won't receive any error notification, but every email from that domain will fail SPF authentication.
How to Use the Free SPF Lookup Tool
Our free SPF lookup tool makes it simple to check any domain's SPF configuration. Here's how to use it:
- Enter your domain — Type the domain you want to check (e.g.,
yourdomain.com) into the input field. Do not includehttps://or any subdomain prefix. - Run the lookup — Click the lookup button. The tool queries your domain's DNS TXT records and finds the SPF entry.
- Review the parsed record — The tool displays your full SPF record, breaks down each mechanism, counts the total DNS lookups, and identifies the qualifier type.
- Check for issues — Look for warnings about exceeding the 10-lookup limit, missing include statements for your email providers, or weak qualifiers like
~all.
If the tool identifies problems, you can use the SPF Generator tool to create a corrected record. The generator lets you select your email providers, add custom IPs, and outputs a properly formatted SPF record ready to publish in your DNS.
Common SPF Issues and How to Fix Them
After analyzing thousands of SPF records, these are the most common issues that cause authentication failures for outbound email teams:
Issue 1: Exceeding the 10-Lookup Limit
This is the most dangerous SPF issue because it fails silently. Each include: mechanism triggers at least one DNS lookup, and the included records may contain their own nested includes. Google Workspace alone can consume 3-4 lookups. Add Smartlead, a CRM, and a marketing platform, and you can easily exceed 10.
Fix: Use the SPF lookup tool to count your total lookups. If you're over 10, consider flattening your SPF record by replacing include: mechanisms with direct ip4: entries where possible, or use an SPF flattening service.
Issue 2: Missing Include Statements
When you add a new email sending service — such as Smartlead, Instantly, or SendGrid — you must add its SPF include to your DNS record. If you forget, every email sent through that service will fail SPF authentication because the sending IP won't be in your authorized list.
Fix: Check your email provider's documentation for the correct SPF include value. Add it to your existing SPF record. Use the SPF Generator to rebuild your record with all providers included.
Issue 3: Wrong Qualifier (~all vs -all)
Using ~all (tilde, soft fail) instead of -all (hyphen, hard fail) is a common mistake. Soft fail tells receiving servers to accept emails from unauthorized IPs but mark them. Hard fail tells servers to reject them outright. For outbound teams, -all is the correct choice — it provides stronger protection against spoofing and signals to ISPs that you are serious about authentication.
Fix: Change the last mechanism in your SPF record from ~all to -all. Make sure all legitimate senders are included first, as hard fail will block unauthorized sources.
Issue 4: Multiple SPF Records
A domain must have exactly one SPF record. If you have multiple TXT records starting with v=spf1, SPF evaluation returns a PermError and authentication fails for all emails. This commonly happens when different team members or providers add separate SPF records instead of merging them.
Fix: Combine all authorized senders into a single SPF record. Delete any duplicate SPF TXT records from your DNS.
Issue 5: Stale Records After Provider Changes
When you stop using an email provider but leave their include in your SPF record, you're unnecessarily consuming DNS lookups. Worse, if you switch providers without updating SPF, your new provider's sending IPs won't be authorized, causing authentication failures.
Fix: Audit your SPF record whenever you change email providers. Remove includes for services you no longer use and add includes for new services.
How SPF Fits Into the Authentication Stack
SPF is one component of a three-layer email authentication system. It works alongside DKIM (which cryptographically signs each email) and DMARC (which ties SPF and DKIM together with a policy). For a comprehensive understanding of how all three protocols interact, see our SPF, DKIM & DMARC setup guide.
Here's how SPF fits into the decision flow when a receiving server processes an incoming email:
- SPF check — The receiving server queries the sender's domain for an SPF record and checks if the originating IP is authorized.
- DKIM check — The server verifies the cryptographic signature in the email header against the public key in DNS.
- DMARC alignment — The server checks whether the From header domain aligns with the domain that passed SPF or DKIM.
- Policy enforcement — If alignment fails, the receiving server applies the DMARC policy (none, quarantine, or reject).
SPF alone is not sufficient. An email can pass SPF but still fail DMARC if the domains don't align. This is why all three protocols must be configured correctly on every sending domain. Use our complete authentication checker to verify all three at once.
SPF Lookup vs SPF Generator: When to Use Each
Superkabe offers two free SPF tools that serve different purposes:
SPF Lookup Tool
Use the SPF Lookup tool when you need to:
- ● Check if your domain has an SPF record published
- ● Diagnose why emails are failing SPF authentication
- ● Count your total DNS lookups to check the 10-lookup limit
- ● Verify that a new provider's include was added correctly
- ● Audit a domain before adding it to your sending infrastructure
SPF Generator Tool
Use the SPF Generator tool when you need to:
- ● Create an SPF record for a new domain from scratch
- ● Rebuild a broken or overcomplicated SPF record
- ● Add multiple providers and generate a properly formatted record
- ● Ensure correct syntax before publishing to DNS
The recommended workflow is: Lookup first, Generator second. Check your current state with the lookup tool, identify what needs to change, then use the generator to produce a correct record.
Frequently Asked Questions
What does an SPF record lookup actually check?
An SPF record lookup queries your domain's DNS TXT records to find the SPF entry. It then parses the record to identify authorized sending IPs and servers, counts the number of DNS lookups required, checks the qualifier (soft fail vs hard fail), and validates the overall syntax of the record.
What happens if my domain has no SPF record?
If your domain has no SPF record, receiving mail servers cannot verify whether emails sent from your domain are authorized. Most ISPs will treat emails from domains without SPF records with suspicion, often routing them to spam or rejecting them outright. Since 2024, Google and Yahoo require SPF for all bulk senders.
What is the SPF 10-lookup limit and why does it matter?
The SPF specification (RFC 7208) limits SPF records to a maximum of 10 DNS lookups during evaluation. Each include, a, mx, and redirect mechanism triggers a lookup. If your record exceeds 10, SPF evaluation returns a PermError and authentication fails silently for every email.
What is the difference between ~all and -all in SPF?
The -all qualifier (hard fail) tells receiving servers to reject emails from unauthorized IPs. The ~all qualifier (soft fail) tells servers to accept but flag the email. For outbound teams, -all is recommended because it provides stronger domain spoofing protection.
How often should I check my SPF record?
Check your SPF record whenever you add or remove an email service provider, change hosting infrastructure, or notice deliverability issues. For outbound teams managing multiple domains, monthly checks are a minimum. Superkabe automates this with continuous DNS monitoring across all your sending domains.
When should I use the SPF lookup tool vs the SPF generator?
Use the SPF Lookup tool to check and diagnose an existing record. Use the SPF Generator to create a new record or rebuild a broken one. The typical workflow is: lookup first to understand the current state, then generator to build a corrected record.
Stop Checking SPF Manually
The free SPF lookup tool is great for spot checks, but outbound teams running multiple domains need continuous monitoring. Superkabe automatically validates SPF records across all your sending domains, alerts you when configurations drift, and prevents deliverability damage before it starts.
See how Superkabe protects your infrastructure →How Superkabe prevents this problem
Superkabe continuously monitors SPF records across all your sending domains, tracking lookup counts, qualifier strength, and provider coverage. When a record exceeds the 10-lookup limit, loses a critical include, or uses a weak qualifier, Superkabe flags the issue before it causes authentication failures.