Free tool

Free SPF Record Checker

Look up any domain's SPF (Sender Policy Framework) record, parse every mechanism, and spot common misconfigurations that let attackers spoof your email — in under a second.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are allowed to send email on behalf of your domain. When a recipient's mail server gets a message claiming to be from you, it checks your SPF record. If the sending IP isn't on the allow-list, the message can be marked as spam — or rejected outright.

Without SPF, anyone can spoof your domain. With a misconfigured SPF, you may accidentally block your own legitimate mail (think: your marketing automation tool, your transactional sender, your finance app). Both outcomes hurt deliverability.

What does this checker do?

Our SPF checker performs a real-time DNS lookup against Cloudflare's public resolver, parses every mechanism in your record, and flags the issues that most commonly cause deliverability problems:

Missing SPF — easiest target for spoofing.
Permissive policy (+all) — allows any server to send mail as your domain.
Neutral policy (?all) — receiving servers won't act on the result.
Too many includes — SPF caps DNS lookups at 10; exceeding that returns PermError.
Mechanism breakdown — every include, ip4, ip6, a, mx, exists rendered as a table so you know exactly what's in your record.

SPF qualifiers explained

+ (pass) — the listed source is authorized. Default if no qualifier given.
- (fail) — the listed source is NOT authorized. Mail rejected.
~ (soft fail) — probably not authorized. Mail accepted but marked.
? (neutral) — explicit non-statement. No effect on outcome.

Common mistakes

Multiple SPF records on one domain

You can only have one SPF record per domain. If you have two (e.g. one from your ESP and one from Microsoft 365), both will be ignored. Merge them into a single record using include:.

Hitting the 10-lookup limit

Every include, a, mx, exists, or redirect mechanism counts as a DNS lookup. If your record requires more than 10 to fully resolve, SPF returns PermError and most receivers treat it as a fail. Flatten common includes or use SPF macros if you hit this.

Using `+all`

This means "any IP on the internet can send mail as me." Never use it on a production domain. Use -all (strict) or ~all (soft fail during rollout).

Related tools

DMARC Checker — verify your DMARC policy
DKIM Checker — look up your DKIM public key
Email Address Validator — check if an email is real

Need to run this at scale?

BounceBlocker validates emails in bulk, monitors blacklists, and tests inbox placement — all in one platform.

Start Free →