Guide
This free SPF checker looks up a domain's SPF record, expands every include: reference, counts the DNS lookups against the 10-lookup limit, and flags configuration problems.
How to check an SPF record
- Enter a domain (e.g.
example.com— pasting a full URL or an email address also works). - Click "Check SPF". The tool fetches the domain's TXT records and finds the one starting with
v=spf1. - Read the verdict: the record itself, every referenced record expanded, the DNS lookup count, and a list of errors and warnings.
What the checker validates
| Check | Why it matters |
|---|---|
| Record exists and there is exactly one | Zero records means no protection; two or more cause a permanent error (permerror) |
| Syntax of every mechanism | Unknown terms make receivers return permerror |
| DNS lookup count ≤ 10 | include, a, mx, exists, ptr, and redirect each consume a lookup, counted across all includes; over 10 is permerror |
all qualifier | +all and ?all provide no protection; ~all (softfail) or -all (fail) is recommended |
Deprecated ptr | Slow, unreliable, and deprecated by RFC 7208 |
| Referenced records resolve | An include: pointing at a domain with no SPF record is a hidden failure |
Example
Checking example.com might return v=spf1 include:_spf.google.com ~all. The tool then fetches _spf.google.com, which includes three more Google netblock records, and reports 4 of 10 DNS lookups used — a healthy record ending in ~all.
When SPF alone is not enough
SPF only validates the envelope sender and breaks on forwarding. Pair it with DKIM signing and a DMARC policy so receivers can authenticate the visible From address — you can verify those with the DKIM checker and DMARC checker.
Limitations
- Macros (
%{i}and friends) cannot be expanded statically, so records behind macros are counted but not fetched. - The tool checks the published DNS record, not live mail flow; a passing record does not guarantee inbox placement.


