An SPF record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Defined in RFC 7208, SPF prevents email spoofing and improves deliverability. Paste your SPF TXT record value below to validate each mechanism, check the DNS lookup count, and catch syntax errors.
Load Example
Validation Checks
Mechanism Breakdown
SPF Syntax Reference (RFC 7208)
Mechanisms
| all | Match everything (used as last mechanism). No DNS lookup. |
| include: | Include another domain's SPF policy. Requires DNS lookup. |
| a | Match domain's A/AAAA record IP. Requires DNS lookup. |
| mx | Match domain's MX record IPs. Requires DNS lookup. |
| ip4: | Match specific IPv4 address or CIDR range. No DNS lookup. |
| ip6: | Match specific IPv6 address or CIDR range. No DNS lookup. |
| exists: | Match if domain exists in DNS. Requires DNS lookup. |
| redirect= | Use another domain's SPF policy instead. Requires DNS lookup. |
| ptr | Match reverse DNS. Deprecated — avoid using. |
Qualifiers
| + | Pass — server is authorized (default when omitted) |
| - | Fail — server is NOT authorized; reject email |
| ~ | SoftFail — probably not authorized; accept but mark suspicious |
| ? | Neutral — no policy statement |
Best practice: End your SPF record with -all (hard fail) for maximum security, or ~all (softfail) during initial deployment.
How to Use This SPF Record Validator
SPF (Sender Policy Framework) is the first line of email authentication defense, telling the world which servers are allowed to send email for your domain. A misconfigured SPF record causes legitimate emails to be marked as spam or rejected outright. This SPF record validator parses your record against RFC 7208 and flags every problem with mechanism-level detail.
Step 1: Find Your SPF Record
Your SPF record is a TXT record in your domain's DNS. You can find it by looking up DNS TXT records for your domain using a tool like dig TXT yourdomain.com or using the DNS Records Checker above. The SPF record value starts with v=spf1. Paste only the value (not the full TXT record with quotes or TTL), though this validator strips surrounding quotes automatically.
Step 2: Understand the Mechanism Breakdown
After validation, each mechanism in your SPF record is displayed with its qualifier (pass/fail/softfail/neutral), type, and argument. Mechanisms that require DNS lookups (include, a, mx, exists, redirect) are counted toward the RFC 7208 limit of 10. The DNS lookup counter is shown prominently — if you exceed 10, receiving servers will treat your SPF as invalid even if the syntax is correct. Common solutions include combining includes or removing unused mechanisms.
Step 3: Fix Common SPF Problems
The most common SPF mistakes are: missing the v=spf1 version tag; forgetting the all terminator; exceeding 10 DNS lookups by adding too many email service providers; having multiple SPF TXT records for the same domain (not allowed — merge into one); and using the deprecated ptr mechanism. This validator catches all of these and shows exactly which mechanism is causing the issue.
SPF and DMARC Work Together
SPF alone is not sufficient for full email authentication. For best email deliverability and phishing protection, implement all three: SPF (which servers can send), DKIM (message content signing), and DMARC (policy for when SPF/DKIM fail). Once your SPF record passes validation here, use the DKIM Record Validator and DMARC Record Validator to complete your email authentication stack. With all three properly configured, your domain achieves full DMARC alignment and maximum protection against spoofing.
FAQ
What is an SPF record and why does it matter?
An SPF (Sender Policy Framework) record is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Defined in RFC 7208, SPF helps prevent email spoofing by allowing receiving mail servers to verify that incoming mail from your domain comes from a server you've authorized. Without a valid SPF record, your emails are more likely to land in spam folders, and attackers can more easily forge emails that appear to come from your domain.
What does this SPF validator check?
This validator parses your SPF record against RFC 7208 and checks: that the record starts with 'v=spf1'; that all mechanisms (include, ip4, ip6, a, mx, all, exists, redirect, exp) are correctly formatted; that IP addresses use valid CIDR notation; that the record ends with an 'all' mechanism; that there are no duplicate mechanisms; that the DNS lookup count stays at or below 10; and that deprecated 'ptr' mechanism is flagged. Each check shows pass, warning, or fail status.
What is the DNS lookup limit in SPF?
RFC 7208 limits SPF records to 10 DNS lookups during evaluation. Mechanisms that require DNS lookups include: include, a, mx, exists, and redirect. Exceeding 10 lookups causes SPF evaluation to fail with a 'permerror', meaning receiving servers will treat your SPF as invalid. Common causes include nesting too many 'include' directives (e.g., each cloud email provider adds 1-3 lookups) or using too many 'a' and 'mx' mechanisms. This validator counts and warns when you approach or exceed the limit.
What do the SPF qualifiers (+, -, ~, ?) mean?
SPF qualifiers control what action receivers take for emails from matched mechanisms. The + qualifier (pass, default if omitted) means the server is authorized to send. The - qualifier (fail) means the server is NOT authorized; receiving servers should reject the email. The ~ qualifier (softfail) means the server is probably not authorized; emails should be accepted but marked as suspicious. The ? qualifier (neutral) means no policy statement is made. Best practice for the 'all' mechanism is '-all' (hard fail) or '~all' (softfail).
Is my data safe when using this tool?
Yes. This SPF record validator runs entirely in your browser. Your SPF record text is parsed using client-side JavaScript and never sent to any server or stored anywhere. All validation logic runs locally on your device.
How do I get an SPF record for Google Workspace or Microsoft 365?
For Google Workspace, use: v=spf1 include:_spf.google.com ~all. For Microsoft 365, use: v=spf1 include:spf.protection.outlook.com ~all. For Zoho Mail, use: v=spf1 include:zoho.com ~all. Add this as a TXT record in your DNS settings at your domain registrar. If you use multiple email services (e.g., both Google and a marketing platform like Mailchimp), you must combine all includes in a single SPF record — having multiple SPF records for the same domain is invalid per RFC 7208.