An SPF record checker is an examination tool that diagnoses various elements (mechanism, qualifier, and modifier) of your SPF record to highlight any existing configurational and syntactical problems. This exercise ensures your record is error-free, and you get the best protection against phishing and email spoofing attacks whilst boosting the email delivery rate.
An SPF record lookup tool searches for an SPF record for the queried domain in the DNS database, checks its correctness, and lists errors, if any. DMARC Analyzer, MXToolbox, and Kitterman are common SPF record check online tools. Everything is checked in compliance with the specifications mentioned in RFC 7208.
Additionally, you can also use it to know whether a specific IP address is permitted to send emails from a domain, along with other information. It’s also advised to implement DKIM and DMARC in order to outweigh major SPF source flaws.
SPF Record Example
Let’s consider this SPF record example-
v=spf1 a include: example.com ~all
Where,
- v=spf1 indicates the version of SPF used. Currently, there’s only one SPF version; so, all SPF TXT records begin with v=spf1 and include ipv4 or ipv6 mail servers that domain owners trust.
- ‘a’ represents authorization of the system in the ‘domain a’ record to send email messages on behalf of the company and its mail server.
- The include tag allows adding the IP address of a third-party sender having the rights to send emails from your site.
- The ~all mechanism specifies a softfail, which means emails failing SPF authentication checks will land in the spam folder of a recipient.
Elements Analyzed by an SPF Record Checker
If you need an answer to ‘is my SPF record correct’ then you have to pass your record through an SPF checker that validates it against the following elements-
Presence of an SPF Record
The foremost thing an SPF record lookup tool would do is check whether an SPF TXT record is published in your domain. If not, it will result in an error related to validity. In this case, you need to create an SPF record by following these steps-
How to Create an SPF Record?
- Create an extensive list of senders allowed to send emails from your domain. This includes web servers, ISP and ESP mail servers, in-office mail servers, and third-party vendors.
- If you have more than one domain, you must create SPF DNS records for all of them, including non-email-sending domains.
- Use an online SPF generator to create your record. Make sure you have knowledge of SPF syntax in advance.
- Publish the SPF record to DNS.
- Test your record to see if there are any issues. You can get help from an SPF lookup tool.
Existence of Multiple SPF Records
You can’t have more than one SPF record per domain. So, if you have found multiple records while performing an SPF record check for a domain of yours, then you have to merge them into one.
Generally, big email providers like Gmail and Microsoft Exchange merge SPF records automatically, and you don’t have to take care of it at all. But, small email providers lack this intelligence feature, and you have to do it manually by consolidating your DNS TXT entries.
Please note that you can’t simply copy one TXT record and paste it into another to merge them. This will invalidate your record.
Image sourced from mailessentials.gfi.com
SPF Syntax Errors
A poorly constructed SPF record has syntax errors and typos that invalidate it. Here’s what it should have-
- Beginning with v=spf1.
- Ending with the all tag- ~all, -all, or +all
- No typographic errors.
Maximum Lookup Limit
An email server’s resources are consumed upon each lookup, and that’s why there’s a limit of a maximum of 10 DNS SPF lookups. The limit was imposed to avoid overloading the mail server.
Once the limit is reached, then either emails are returned or the list of authorized IP addresses is not retrieved. This gives malicious actors the opportunity to attempt phishing attacks in your company’s name.
So, if you fail to be back within the limit despite making all the efforts, AutoSPF’s automatic SPF flattening service will resolve the issue.
Use of a PTR Mechanism
The PTR mechanism is used for resolving a domain name to its corresponding IP address. Its conjunction with SPF records is deprecated due to its slow and unreliable nature. That’s why it can’t be resolved using diagnostic tools.
Use of the +all Tag
An SPF record checker will return with a warning if your record includes a +all tag. The inclusion of this tag allows anyone on the internet to send emails using your domain, and that’s not recommended. This will enable hackers to exploit your domain for sending fraudulent emails in your name.
Characters After the ‘all’ Tag
There should be no character after the ‘all’ tag. So, if there’s any, your SPF record checker will highlight it. The inclusion of characters after the ‘all’ tag invalidates your SPF record.
SPF Type DNS
The SPF-type DNS record is deprecated as RFC7208 and is no longer supported. Instead, you should use the TXT record type to generate a valid SPF record for your domain.
Maximum Void Lookups
The void lookup limit was introduced in RFC7208 and indicates DNS lookups that return an empty response (NOERROR with no answers) or an NXDOMAIN response. There shouldn’t be more than 2 DNS void lookups, and this is separate from the maximum lookup limit.
MX Resource Records
The SPF record checker highlights the inclusion of any MX (Mail Exchange) mechanism. You may use the MX mechanism only if your MX servers are used for outgoing emails.
However, the MX mechanism does not need to be used if the servers listed in your MX records are only used for incoming mail.
Null Values
While performing an SPF check online, null values are highlighted as they create problems in delivering emails to desired recipients. You can retain them if you have added them to the record of non-email-sending domains.