DNSTrack Logo
SSL Checker Email Verifier SPF Record Checker DMARC Checker DKIM Checker

SPF Record Checker & Generator

Check and validate SPF records, prevent email spoofing, and generate custom SPF records for your domain

Check SPF Record

Generate SPF Record

Enter authorized IPv4 addresses separated by commas
Enter authorized IPv6 addresses separated by commas
Select one or more email service providers, or add custom domains below
Add custom include domains not listed above, separated by commas
Defines how to handle emails from unlisted sources

Understanding SPF Records

SPF (Sender Policy Framework) is an email authentication method that helps prevent email spoofing by specifying which mail servers are authorized to send email on behalf of your domain. It's a critical component of email security and deliverability.

Why SPF Records Matter

SPF records are essential for email security and reputation because they:

  • Prevent Email Spoofing: Stop spammers from sending emails that appear to come from your domain
  • Improve Deliverability: Emails from your domain are more likely to reach recipients' inboxes
  • Protect Brand Reputation: Prevent your domain from being used in phishing or spam campaigns
  • Comply with Standards: Meet email authentication requirements set by major email providers
  • Reduce Bounce Rates: Properly configured SPF reduces email rejections
  • Enable DMARC: SPF is a prerequisite for implementing DMARC email authentication

SPF Record Structure

A typical SPF record looks like this:

v=spf1 ip4:192.0.2.1 include:_spf.google.com mx -all

Breaking down the components:

  • v=spf1: Identifies the SPF version (always v=spf1)
  • ip4/ip6: Specifies authorized IP addresses
  • include: Includes SPF record from another domain
  • a: Authorizes the domain's A record IP
  • mx: Authorizes the domain's MX record servers
  • all: Defines policy for unlisted sources

SPF Qualifiers Explained

+ (Pass): Explicitly authorizes the source. Usually omitted as it's the default.

- (Fail/Hard Fail): Rejects emails from unauthorized sources. Recommended for strict security (e.g., -all).

~ (Soft Fail): Accepts but marks as suspicious. Used during testing or transition periods (e.g., ~all).

? (Neutral): No policy specified. Not recommended as it provides no protection (e.g., ?all).

Common SPF Mechanisms

  • ip4 / ip6: Direct IP authorization (e.g., ip4:192.0.2.1)
  • include: Include another domain's SPF record (e.g., include:_spf.google.com)
  • a: Authorize servers listed in domain's A/AAAA records
  • mx: Authorize servers listed in domain's MX records
  • exists: Conditional authorization based on DNS lookup
  • ptr: Deprecated mechanism, should not be used

SPF Limitations and Best Practices

  • 10 DNS Lookup Limit: Maximum of 10 mechanisms that require DNS lookups (include, a, mx, exists, redirect)
  • One SPF Record: Only one SPF record allowed per domain
  • 255 Character Limit: Single DNS TXT record limited to 255 characters
  • Regular Updates: Update SPF when adding/removing email services
  • Test Before Deployment: Use ~all for testing before switching to -all
  • Combine with DKIM and DMARC: Implement all three for complete email authentication
  • Avoid ptr Mechanism: It's deprecated and causes unnecessary DNS lookups
  • Use include Wisely: Each include counts toward the 10 lookup limit

Common Email Service Provider SPF Records

  • Google Workspace/Gmail: include:_spf.google.com
  • Microsoft 365/Outlook: include:spf.protection.outlook.com
  • SendGrid: include:sendgrid.net
  • Mailchimp: include:servers.mcsv.net
  • Amazon SES: include:amazonses.com
  • Zoho Mail: include:zoho.com

Instant Validation

Check and validate SPF records in real-time with detailed analysis

Smart Generator

Create custom SPF records with our easy-to-use generator tool

Error Detection

Identify issues like excessive DNS lookups and syntax errors

Frequently Asked Questions

What is an SPF record?

SPF (Sender Policy Framework) is an email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. It's published as a DNS TXT record and helps prevent email spoofing by allowing receiving mail servers to verify that incoming mail from a domain comes from an authorized server.

How do I check my SPF record?

Enter your domain name in the SPF checker tool above and click "Check SPF Record". We'll retrieve your DNS TXT records, identify your SPF record, parse all mechanisms and qualifiers, validate the syntax, check for common issues, and display detailed results including warnings about potential problems.

What should my SPF record look like?

A typical SPF record looks like: v=spf1 ip4:192.0.2.0 include:_spf.google.com mx -all. It must start with v=spf1, list authorized sources (IP addresses, includes, etc.), and should end with an "all" mechanism defining how to handle unlisted sources. The recommended ending is -all for maximum security.

What does -all mean in SPF?

-all (hard fail) means reject emails from servers not listed in the SPF record. ~all (soft fail) means accept but mark as suspicious. ?all (neutral) means no policy. +all allows any server (not recommended). Most domains should use -all for strict enforcement or ~all during testing.

How many DNS lookups can an SPF record have?

SPF records are limited to a maximum of 10 DNS lookups. This limit prevents excessive DNS queries. Mechanisms that count toward this limit include: include, a, mx, exists, and redirect. If your SPF record exceeds 10 lookups, validation will fail. Use direct IP addresses instead of mechanisms when possible to reduce lookups.

Can I have multiple SPF records?

No, you can only have ONE SPF record per domain. Multiple SPF records will cause authentication failures. If you need to authorize multiple sources, combine them into a single SPF record using mechanisms like ip4, include, and mx. Use our SPF generator to create a comprehensive record.

How do I add an SPF record to my DNS?

Log into your DNS provider (where your domain is hosted), navigate to DNS management, add a new TXT record with hostname "@" or your domain name, and paste your SPF record as the value. Changes typically propagate within 24-48 hours. After adding, use our checker to verify it's working correctly.

What is the include mechanism in SPF?

The include mechanism references another domain's SPF record. For example, include:_spf.google.com authorizes Google's mail servers. This is useful for third-party email services. Each include counts as a DNS lookup, so use them carefully to stay within the 10 lookup limit.

Why is my SPF record failing validation?

Common reasons include: exceeding 10 DNS lookups, multiple SPF records, syntax errors, missing v=spf1 prefix, no "all" mechanism at the end, using deprecated ptr mechanism, or character limit exceeded. Use our checker to identify specific issues with your SPF record.

What's the difference between SPF, DKIM, and DMARC?

SPF specifies authorized mail servers, DKIM adds a digital signature to emails, and DMARC tells receiving servers how to handle authentication failures. All three work together: SPF and DKIM provide authentication methods, while DMARC provides policy and reporting. Implementing all three provides the best email security and deliverability.