An SPF validator (or synonymously called as SPF lookup, SPF checker, and SPF tester) is a diagnostic tool where you just have to type the domain name and it will extract an SPF record associated with it to evaluate its correctness. In case, the SPF record isn’t published on the domain’s DNS yet, then you have to manually copy and paste it for the SPF check process.
This tool runs SPF checks on the submitted SPF TXT record to highlight existing errors that can make it invalid, giving opportunity to threat actors to send spam messages posing as you. The overall process of SPF record checking ensures email security, protection from phishing, spamming, spoofing, and an improved email delivery rate.
Any company with multiple domains or subdomains merge their SPF TXT record ( which by the way is a healthy practice) but ends up doing it in a wrong way. This is where an SPF record lookup tool comes into the picture and highlights mistakes. This way domain owners or administrators can fix the issues and enjoy the benefits of email authentication protocols. Please note that all the SPF checks are made in accordance with the specifications mentioned in RFC 7208.
SPF Record Example
Let’s consider this SPF record example-
v=spf1 a include: example.com ~all
- v=spf1 indicates the version of SPF used. Currently, there’s only one SPF version; so, a record always begins with v=spf1.
- ‘a’ represents authorization of the system in the ‘domain a’ record to send an email on behalf of the company.
- The include tag allows adding IP addresses of third-party senders allowed to send emails from your domain.
- The ~all mechanism specifies a softfail, which means emails failing SPF authentication checks will land in recipients’ spam folders.
What Does an SPF Validator Check?
A credible SPF validator diagnoses your SPF record against the following elements-
Presence of an SPF Record
Any SPF lookup tool would start by verifying whether there’s an SPF record linked to your domain or not. If there’s no SPF DNS record, then the process can’t proceed further.
So, in this case, you need to use an online SPF record generator and build a record from scratch. For that you need collect all the IP addresses (belonging to ipv4 and ipv6 range) and mail servers that you authorize to send email messages on behalf of your company.
An Improper Use of SPF Syntaxes
The whole concept of SPF syntaxes is intricate and difficult to understand. Mechanisms, modifiers, and qualifiers have different purposes and overuse of them also leads to record invalidation. As per the basic SPF checks, you need to ensure your TXT record-
- Begins with v=spf1.
- Ends with the all tag- ~all, -all, or +all.
- Consist of no typographic error.
Presence of More Than One SPF Record
Having multiple SPF records for one domain causes invalidation of all them. This gives hackers the chance to attempt email-based cybercrimes like BEC attacks and phishing.
If an SPF validator highlights the presence of multiple SPF TXT records then you need to merge them into one. Remember, that you can’t just copy and paste them all in one place to merge. Also, prominent email service providers like Gmail and Outlook have the intelligence to automatically do this on your behalf.
Use of PTR and MX Tags
The use of ptr and mx tags is discouraged as they are unreliable, slow, and are counted towards the maximum DNS lookup limit. You may include an mx tag if your MX servers are deployed for outgoing emails.
The Use of the +all Tag
The +all tag authorizes anyone to send emails on your behalf. This tag basically nullifies all the email security measures in place and lets malicious hackers manipulate your clients and prospects into sharing sensitive information or taking any illicit action.
SPF Type DNS
SPF is the obsolete type of DNS which means it’s no longer in use. If this error pops up during an SPF lookup then you need to use the SPF type DNS.
SPF validators pinpoints null values as they create issues while delivering emails. However, adding them in SPF records created for non-email-sending domains doesn’t causes any problems.
Presence of any Characters After the all Tag
Your SPF record goes invalid if there’s any character after the all tag.