Superkabe LogoSuperkabe
Free Tool · No Signup Required

SPF Record Lookup

Enter any domain to check its SPF record. View authorized sending servers, count DNS lookups, and detect misconfigurations before they damage your deliverability.

What is an SPF Record?

SPF (Sender Policy Framework) is a DNS-based email authentication protocol defined in RFC 7208. It allows domain owners to publish a list of mail servers that are authorized to send email on their behalf.

When a receiving mail server gets an email claiming to be from your domain, it looks up the SPF record in your DNS. If the sending server's IP address matches one of the authorized mechanisms in the record, the SPF check passes. If not, the result depends on the "all" mechanism at the end of the record — typically softfail (~all) or hard fail (-all).

SPF is one of three email authentication protocols (alongside DKIM and DMARC) that are now required by Google and Yahoo for all bulk email senders. Without a valid SPF record, your emails are significantly more likely to land in spam or be rejected outright.

How to Read SPF Results

An SPF record is a single string made up of a version tag and a series of mechanisms. Here is how to interpret each part:

MechanismExampleMeaning
v=spf1v=spf1Version identifier. Must be the first token.
ip4 / ip6ip4:192.0.2.0/24Authorize a specific IPv4 or IPv6 address or CIDR range. No DNS lookup required.
includeinclude:_spf.google.comAuthorize all servers listed in another domain's SPF record. Counts as a DNS lookup.
aaAuthorize the IP(s) that your domain's A record points to. Counts as a DNS lookup.
mxmxAuthorize the IP(s) of your domain's MX (mail exchange) servers. Counts as a DNS lookup.
all-allDefault rule for senders not matching any mechanism. Qualifiers: + pass, ~ softfail, - fail, ? neutral.

Each mechanism can be prefixed with a qualifier: + (pass, default), - (fail), ~ (softfail), or ? (neutral). The qualifier determines what happens when a sending server matches that mechanism.

Common SPF Misconfigurations

1. Exceeding the 10 DNS Lookup Limit

Each include, a, mx, ptr, exists, and redirect mechanism triggers a DNS lookup. Included domains may also have their own includes, which count toward your total. If the total exceeds 10, the SPF check returns PermError and all emails fail authentication. Fix this by replacing includes with direct IP addresses or using SPF flattening services.

2. Missing Include for a Sending Service

Every third-party service that sends email on your behalf (Google Workspace, Microsoft 365, Mailchimp, SendGrid, Smartlead, etc.) needs its own include: mechanism in your SPF record. If you add a new email provider but forget to update SPF, emails from that provider will fail the SPF check. Always check your provider's documentation for the correct include value.

3. Wrong Mechanism Order

SPF mechanisms are evaluated left to right. While order does not change the final result for most records, placing the all mechanism anywhere other than the end will cause everything after it to be ignored. Always put -all or ~all as the last mechanism in the record.

4. Using +all or ?all

Setting the all mechanism to +all (pass) means any server in the world can send email as your domain. This defeats the entire purpose of SPF. Similarly, ?all (neutral) provides no indication to receivers about unauthorized senders. Use ~all (softfail) as a minimum and -all (hard fail) for maximum protection.

5. Multiple SPF Records on One Domain

A domain must have exactly one SPF TXT record. Publishing two or more causes a PermError for every SPF check, meaning all emails fail authentication. This commonly happens when a new record is added without removing the old one. If you need to authorize additional senders, edit the existing record to include them.

Frequently Asked Questions

What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the sender's domain SPF record to verify the sending server is permitted. If the server is not listed, the email may be rejected or marked as spam.
How do I read an SPF record?
An SPF record starts with "v=spf1" followed by mechanisms that define authorized senders. Common mechanisms include "ip4:" and "ip6:" for specific IP addresses, "include:" for third-party senders (like Google or Mailchimp), "a" and "mx" for your domain's A and MX records, and "all" at the end to set the default policy for unlisted senders. The qualifier before each mechanism (+, -, ~, ?) determines whether matching senders pass, fail, softfail, or are treated as neutral.
What does the 10 DNS lookup limit mean?
RFC 7208 limits SPF evaluation to 10 DNS lookups per check. Each "include", "a", "mx", "ptr", "exists", and "redirect" mechanism triggers a DNS lookup. If your SPF record exceeds 10 lookups, receiving servers return a PermError and the SPF check fails entirely. This is the most common SPF misconfiguration, especially for domains using multiple email services. To fix it, consolidate includes, replace "include" with direct "ip4"/"ip6" entries, or use SPF flattening.
What is the difference between ~all and -all?
"~all" (softfail) tells receiving servers that unlisted senders are probably unauthorized but should not be outright rejected. "-all" (hard fail) tells receivers to reject emails from unlisted servers. For domains actively sending email, "-all" provides the strongest protection against spoofing. "~all" is recommended during initial setup or migration to avoid accidentally blocking legitimate email. Most deliverability experts recommend moving to "-all" once you have confirmed all sending sources are listed.
Can I have multiple SPF records on one domain?
No. RFC 7208 requires exactly one SPF record per domain. If a domain publishes multiple SPF TXT records, receiving servers must return a PermError, which means the SPF check fails for all emails. If you need to authorize multiple sending services, combine them into a single SPF record using "include:" mechanisms. This is a common mistake when adding new email providers without removing or updating the existing SPF record.
Why does my SPF check show "No SPF record found"?
This means your domain's DNS has no TXT record starting with "v=spf1". Common reasons include: the record was never created, it was accidentally deleted during a DNS migration, or it is published on a subdomain instead of the root domain. Without an SPF record, receiving servers cannot verify your sending authorization, which leads to poor inbox placement and makes your domain vulnerable to spoofing.

Related Tools

SPF Record Generator

Generate a properly formatted SPF TXT record for your domain.

Use tool

DKIM Record Lookup

Verify your DKIM DNS record and public key are published correctly.

Use tool

DMARC Record Lookup

Check your DMARC policy, reporting settings, and alignment mode.

Use tool

Related Reading

SPF, DKIM & DMARC Setup Guide

Step-by-step DNS authentication setup for outbound email teams. Learn how SPF, DKIM, and DMARC work together to protect your domain.

Complete Email Deliverability Guide

Everything you need to know about inbox placement, sender reputation, and avoiding spam filters.

Monitor SPF Records Automatically

This free tool checks your SPF record on demand. Superkabe monitors SPF, DKIM, and DMARC across all your sending domains every 24 hours and alerts you before misconfigurations cause deliverability failures.

Start free trial