Look up and validate the SPF TXT record on any domain: mechanisms, qualifiers, the all policy, and the 10 DNS lookup limit. It runs free in your browser over DNS-over-HTTPS, with no signup and nothing stored.
Create a free Unspam account to re-run these checks on a schedule and get alerted the moment your setup breaks. No credit card.
SPF (Sender Policy Framework, defined in RFC 7208) is a published list of the servers allowed to send email for your domain. It lives as a single DNS TXT record on the sending domain that starts with v=spf1, followed by mechanisms that name authorized sources and a final all policy. When a mailbox provider receives a message, it checks the sending IP against the SPF record on the envelope (Return-Path) domain and uses the result as one signal for inbox placement. SPF is also one of the building blocks of DMARC, so a correct record is part of meeting the Gmail, Yahoo, and Microsoft sender requirements that increasingly reject unauthenticated bulk mail.
Every valid SPF record begins with v=spf1. If the record does not start with this exact tag, or no TXT record is returned at all, the domain has no usable SPF policy.
These name the sources you authorize. include delegates to another domain's SPF (for example your email platform), a and mx authorize your own A and MX hosts, and ip4 / ip6 list specific addresses or CIDR ranges.
The mechanism at the end sets the default for everyone not listed: -all is a hard fail (recommended), ~all is a soft fail (common while testing), ?all is neutral, and +all authorizes anyone (do not use it).
SPF allows at most 10 DNS lookups during evaluation. Mechanisms like include, a, and mx each cost lookups, and nested includes add their own, so the checker follows the whole include chain to count the real total and flags records that go over the limit. Expand the breakdown to see which mechanism each lookup came from.
A domain must publish exactly one v=spf1 TXT record. If the checker finds two or more, the record is invalid and providers will return a PermError.
A domain may publish only one TXT record that starts with v=spf1. When a second one is added (often when a new email platform is set up), evaluation returns a PermError and SPF effectively fails. Merge every source into a single record with multiple include mechanisms.
Each include, a, mx, ptr, and exists mechanism triggers DNS lookups, and nested includes add their own. Once evaluation needs more than 10, the result is a PermError. Flatten or remove unused includes to stay under the limit.
Ending the record with +all tells the world that every server is authorized to send as your domain, which disables SPF entirely and invites spoofing. Use -all for a hard fail, or ~all while you are still confirming your sources.
If the lookup returns nothing, or a TXT record that does not begin with v=spf1, the domain has no enforceable policy and DMARC has nothing to align against. Publish one record that starts with v=spf1 and ends with a restrictive all.
A single TXT string is capped at 255 characters. Long records must be broken into multiple quoted strings inside one TXT record (which is valid), not into separate records. Splitting into separate records creates the multiple-record error instead.
