An SPF lookup is the DNS query a receiving mail server runs to find out which servers you have authorized to send email as your domain. It happens on every inbound message, so knowing how to run the same lookup yourself is the fastest way to see what receivers see.
How an SPF Lookup Works
Your SPF record is published as a DNS TXT record at your domain's apex (for example, at example.com, not _spf.example.com). When a message arrives, the receiver reads the envelope sender's domain, queries that domain's TXT records, finds the one beginning with v=spf1, and evaluates it against the connecting server's IP address. If the IP is authorized, SPF passes; if not, the qualifier on the record decides what happens next.
Reading the Raw SPF Record
A lookup returns a single line like this:
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all
Each token is a mechanism: include: pulls in another provider's authorized senders, ip4: authorizes an address or range directly, and the trailing -all tells receivers to reject anyone not matched. The raw string is only half the picture, though - the real work is expanding what those includes contain.
Recursive Include Expansion and Lookup Counting
Every include: is itself a domain with its own SPF record, which can contain further includes. This tool follows that chain all the way down, so a record that looks like three includes might actually resolve into a dozen DNS lookups. That matters because RFC 7208 caps evaluation at ten DNS-querying mechanisms (plus a limit of two void lookups); cross either and receivers return a PermError. If your expanded record is over ten, AutoSPF flattens the includes into a compact record and keeps it current - see too many DNS lookups.
Looking Up an SPF Record Manually
You can run the underlying query yourself from a terminal. On macOS or Linux:
dig TXT example.com +short
On Windows:
nslookup -type=TXT example.com
Both return the raw TXT records, including the SPF line - but neither expands nested includes or counts total lookups, which is why a purpose-built lookup tool is faster for anything beyond a quick glance.
When a Lookup Returns Nothing (or Fails)
- No record found. The domain publishes no
v=spf1TXT record, so receivers have nothing to check the sender against. - Two records found. RFC 7208 allows only one; a second produces a PermError and both are ignored.
- Subdomain has no record. Subdomains do not inherit the parent's SPF record - each sending subdomain needs its own.
- PermError on the count. Valid syntax, but the expanded lookups exceed ten.
After the Lookup: Validate, Fix, and Cover DKIM and DMARC
Once you have the record, run it through the SPF validator to check it against every RFC rule, or rebuild it cleanly with the SPF record generator. And because SPF only covers the sending server, pair it with the free DMARC checker and DKIM lookup - DMARC is what ties SPF and DKIM to your visible From address. Look up your record whenever you add a sender, migrate providers, or see mail landing in spam.