SPF Record Lookup
Check SPF records to spot misconfigurations that could let spammers send emails from your domain.
Our SPF Record Lookup analyzes your DNS, highlights common pitfalls, and helps you apply the correct configuration.
Check SPF records to spot misconfigurations that could let spammers send emails from your domain.
Our SPF Record Lookup analyzes your DNS, highlights common pitfalls, and helps you apply the correct configuration.
Use DMARCFlow’s SPF Checker to confirm that your outbound emails are properly authenticated. An SPF record helps prove that messages sent from your domain are legitimate and haven’t been forged.
Start by verifying that your domain has an SPF record. Then ensure it’s correctly configured.
Even small mistakes - like syntax errors or too many includes - can break SPF.
DMARCFlow gives you a clear view of your SPF structure and all authorized sending sources.
Want to see how it works? Watch our short video guide on using the SPF test tool.
SPF (Sender Policy Framework) lets you declare which servers may send mail for your domain. Receiving servers check your DNS SPF record; if the sender isn’t authorized, the message may be flagged or rejected.
Correct SPF helps prevent phishing and improves deliverability so legitimate mail reaches the inbox.
A step-by-step guide to keep your domain protected and emails in the inbox.
Include only trusted sending sources. Keep mechanisms minimal for clarity and speed.
Only include services you actually use (e.g., Mailchimp, Google Workspace). Verify each provider’s SPF syntax.
SPF permits max 10 DNS lookups. Flatten/optimize to avoid permerror failures.
Validate SPF after any change to mail servers or providers to catch regressions early.
Audit who can send for your domain and update SPF to remove stale or risky sources.
Every result status has a specific meaning. Here is what each one tells you and what to do next.
The sending IP is authorized by your SPF record. The email passes SPF authentication. No action needed — but pair with DKIM and DMARC for complete coverage.
The sending IP is explicitly not authorized. Your SPF record ends in -all and this server is not listed. Receivers will likely reject or flag the message. Add the missing server or investigate why mail is coming from an unauthorized source.
The sender is not authorized but the policy is lenient (~all). Mail is typically accepted but may be marked as spam. Consider moving to -all once your SPF is stable and complete.
Permanent error — your SPF record has a syntax problem or exceeds the 10 DNS lookup limit. This is the most common cause of SPF failures in DMARC reports. Fix the record immediately; receivers cannot evaluate it at all.
Temporary DNS failure during lookup. Usually resolves on its own but can indicate DNS infrastructure issues. If it persists, check your DNS provider's status.
None: No SPF record found at all. Your domain is unprotected. Publish an SPF record immediately. Neutral: The record exists but makes no assertion (?all). Effectively the same as having no policy.
These are the mistakes that most frequently cause SPF failures in DMARC reports.
Every include:, a, mx, and exists mechanism counts as a DNS lookup. Exceeding 10 causes a PermError, which means your SPF record is invalid and receivers ignore it entirely.
Fix: Use SPF flattening to inline IP addresses directly, removing nested include chains. Remove services you no longer use.
Publishing two or more TXT records starting with v=spf1 on the same domain is an RFC violation and causes a PermError. Receivers will reject the entire SPF evaluation.
Fix: Merge all sending sources into a single SPF record. Delete the duplicate.
When you add a new email service (CRM, marketing platform, helpdesk) without updating your SPF, emails from that service fail. This is the most common reason for SPF failures appearing in DMARC aggregate reports.
Fix: Identify all services sending email on your behalf and add their include: statements or IP ranges to your SPF record.
SPF passing is not enough for DMARC. The SPF-authenticated domain must align with the From: header domain. Forwarded mail and mailing lists frequently break SPF alignment even when SPF itself passes.
Fix: Ensure DKIM is also configured and aligned. DKIM survives forwarding; SPF does not.
Common questions about SPF records
v=spf1 include:example.net -all).