Skip to main content
New SPF lookups must resolve in milliseconds — why a DMARC tool's add-on isn't enough Learn Why → →

Free SPF Record Checker

Instantly verify your SPF record, count DNS lookups, and identify misconfigurations - all in one free tool.

Run an SPF check on any domain - free, no login

Type a domain to see its published SPF record, a mechanism-by-mechanism breakdown, and a live DNS lookup count.
Deep Analysis

What the SPF Checker Analyzes

SPF Record Verification

Pulls your domain's published SPF record live from DNS and shows exactly which mail servers and IP addresses you have authorized to send.

Status & Validation

Checks syntax, mechanism usage, and qualifier correctness according to RFC 7208 so you can spot and fix issues before they impact deliverability.

DNS Lookup Count

Counts every DNS lookup your record triggers - including the ones buried inside third-party includes - and flags you before you cross the RFC limit of ten.

Authorized IPs & Mechanisms

Breaks down every ip4, ip6, include, a, and mx mechanism so you can see exactly which servers are permitted to send email.

Why It Matters

Why Use the Free SPF Checker?

Improved Email Deliverability

Correctly configured SPF records reduce bounce rates and help your emails land in the inbox instead of the spam folder.

Enhanced Email Security

Prevent spoofing and phishing attacks by verifying that only authorized servers can send email from your domain.

Compliance with Standards

Gmail, Outlook, and Yahoo require proper SPF. Our tool checks your record against RFC 7208 and industry best practices.

User-Friendly Results

Clear, actionable output with error alerts, lookup counts, and recommendations - no DNS expertise required.

Reading Your Results

Understanding Your SPF Check Results

Run any domain through this SPF checker and it pulls the live record, expands every mechanism, and shows you the full list of IP addresses your domain currently trusts to send mail. Anything outside that list is what receiving servers will challenge or reject.

Flow diagram showing how an SPF record blocks unauthorized senders and spoofing attempts while allowing verified mail servers to deliver email on behalf of your domain
Verified mail servers get through; anything outside your SPF record is what receivers challenge or reject.

What an SPF Record Looks Like

An SPF record is a single TXT entry published in your DNS records that tells receivers which mail servers may send messages on behalf of your domain. A typical record looks like this:

v=spf1 include:_spf.google.com ip4:192.0.2.0/24 -all

Diagram labeling the parts of an SPF record: the v=spf1 version tag, the ip4 IP address mechanism, the include mechanism for third-party senders, and the -all hardfail qualifier
Every SPF record is one TXT entry built from a version tag, one or more mechanisms, and a final qualifier - each part tells receivers something different about which senders to trust.

Each piece is a mechanism. The include: mechanism pulls in another domain's authorized senders, ip4: authorizes a specific IP address or IP range, and the final -all rejects every other sender. When you run this SPF checker, it expands each mechanism, validates the syntax against the Sender Policy Framework (SPF) specification (RFC 7208), and lists every IP address your domain currently authorizes.

Common SPF Errors and What They Mean

When the checker analyzes your record, the result resolves to one of several SPF outcomes. The errors worth recognizing:

  • PermError (shown as PermError in tool output) - a permanent failure in the record itself. Almost always a syntax mistake or a record that exceeds the DNS lookup limit. Receivers treat the record as if it doesn't exist. Fix the syntax or reduce nested includes to clear it.
  • TempError (TempError) - a temporary DNS resolution issue, often a slow or unreachable nameserver. Re-test in a few minutes; if it persists, check your DNS provider.
  • softfail (the ~all qualifier) - the sender isn't authorized, but receivers should accept the message and mark it suspicious. Common in transitional setups before switching to hardfail.
  • hardfail (the -all qualifier) - the sender isn't authorized, so receivers reject the message outright. This is the setting you want once every legitimate sender is accounted for.
  • none - the domain publishes no SPF record at all, so receivers have nothing to check the sender against and often treat the mail as untrusted.
  • neutral (the ?all qualifier) - the domain explicitly declines to assert authorization. Treated similarly to none.

Each outcome maps to a different fix. Syntax errors, missing TXT records, and unauthorized senders surface in the checker as distinct error categories so you can act on them without digging through raw DNS responses.

How SPF Works With DKIM and DMARC

SPF is one of three email authentication standards that work together, so an SPF check rarely tells the whole story on its own. SPF verifies the sending server, DKIM adds a cryptographic signature that proves the message wasn't altered in transit, and DMARC ties the two together - it checks that SPF or DKIM aligns with the domain in the visible "From" address and tells receivers what to do when authentication fails. Gmail, Yahoo, and Microsoft now require all three from bulk senders, so a passing SPF record is the foundation the rest of your email authentication - and your defense against spoofing and email fraud - is built on.

When you clear an issue this SPF checker surfaces, re-check DKIM and DMARC at the same time. A technically valid SPF record that isn't aligned with your DMARC policy can still fail, and tightening SPF to -all before your other senders are covered will block legitimate mail.

The 10 DNS Lookup Limit

Gauge illustration of the SPF 10 DNS lookup limit, with the needle approaching the maximum and warnings about exceeding allowable queries, performance issues, and the risk of timeouts and errors
Every include, a, mx, ptr, and exists mechanism counts toward the 10 DNS lookup limit. Cross it and the record fails with PermError.

The Sender Policy Framework specification caps DNS lookups at ten per evaluation (RFC 7208, section 4.6.4). Each include:, a, mx, ptr, and exists mechanism counts toward the limit, and nested includes count recursively. When your record exceeds the 10 DNS lookup limit, receivers return PermError and your messages may go to spam regardless of how correct the rest of your record is - every IP address you've listed becomes irrelevant the moment the lookup limit blows past ten.

The checker counts every lookup your record triggers, including the ones hidden inside third-party include: directives. If you're over ten - or close - AutoSPF can flatten the record automatically, preserving the authorized IP addresses while collapsing nested lookups into a single, valid SPF record.

When to Run an SPF Check

Run an SPF check whenever you add or remove an email provider, migrate platforms, or notice messages landing in spam - and audit your record at least once a quarter as routine hygiene. Each time you change who sends mail for your domain, an SPF lookup confirms the record still resolves, stays under the 10-lookup limit, and lists only the servers you trust. Tools like this one turn that into a 10-second check instead of a manual dig session, and pair well with a DMARC checker and DKIM lookup for a complete view of your email authentication. Check your subdomains separately, too - a subdomain does not inherit the parent domain's SPF record, so every subdomain that sends mail needs its own.

Too many DNS lookups?

AutoSPF automatically flattens your SPF record to stay within the 10-lookup limit. Setup takes 60 seconds.

Start Free TrialView Plans & Pricing
Rated 5/5 on G2 · Trusted since 2018

World-Class Support for Your SPF Needs

"Helped us go beyond capacity"

AutoSPF did exactly as described, it helped us get past our 10 lookup limit. Afterwards, we hit another limit regarding overall capacity and when contacted, they quickly provided us with a new solution to eliminate capacity issues entirely going forward, so now we can add as many SPF records as needed. They also provided us with a personalized support video explaining their new method in its entirety using our instance as the example.
VU

Verified User

Financial Services · Mid-Market (51-1000 emp.)

"Great service and great support"

AutoSPF was easy to initially set up on our own and a great cost effective entry into spf flattening. Needed our first support assistance today and got great response including a video demonstrating the issue I was trying to solve, a quick fix, and more detailed followup.
GF

Greg F.

Mid-Market (51-1000 emp.)

"Robust and useful product with incredible support"

AutoSPF is a simple tool to solve a significant problem. It does it so very well without any issues. Additionally, the support is very professional and goes above and beyond to help resolve any email-related issues for their customers.
VU

Verified User

Insurance · Mid-Market (51-1000 emp.)

Read our reviews on G2