Get a FREE .NL, .BE, .EU, or .COM domain with any hosting package! Claim your free domain!
TheHostMasters
Navigation
Hosting Plans
Domain Registration
Blog
Free Tools
About Us
Services
Services
Free Domain Offer
Get a free .NL, .BE, .EU, or .COM with any hosting plan.
Claim now
Contact & Support
Get Started Today
NLEN
Free SPF Checker

SPF Record Checker

Check your SPF record instantly. Verify your record syntax, analyse mechanisms, inspect include chains, detect misconfigurations and validate your email authentication setup.

Record SyntaxMechanismsInclude ChainsIP RangesDNS LookupsDefault PolicyQualifiers

Useful for diagnosing email deliverability issues, preventing spoofing and ensuring your domain's SPF record is correctly configured.

Validate SPF Syntax

Ensure your SPF record is correctly formatted and parseable by mail servers.

Inspect Mechanisms

Review all mechanisms such as ip4, ip6, a, mx, include and their qualifiers.

Resolve Include Chains

Recursively expand include: directives to see all authorised senders.

Check DNS Lookup Limit

Detect whether your record exceeds the RFC 7208 limit of 10 DNS lookups.

What can you check with this SPF tool?

This SPF checker lets you inspect every detail of a domain's SPF record. You can verify whether a record exists, whether its syntax is valid, which mail servers are authorised to send on behalf of the domain and how nested include chains resolve.

SPF records are a critical layer of email authentication. A missing, broken or over-complicated SPF record can cause legitimate emails to land in spam or be outright rejected. This tool helps you quickly diagnose and fix your SPF configuration.

SPF details you can inspect

Raw SPF Record

Displays the full TXT record exactly as published in DNS, so you can spot typos or unexpected entries at a glance.

Mechanisms

Lists every mechanism in the record, such as ip4, ip6, a, mx and include, along with its qualifier (pass, fail, softfail or neutral).

Include Chains

Recursively resolves all include: directives so you can see the full tree of authorised senders, even across third-party providers.

IP Ranges (ip4 / ip6)

Shows every IP address and CIDR range that is explicitly authorised to send mail for the domain.

Default Policy (all)

Identifies how the record handles mail from unauthorised senders, pass (+all), softfail (~all), fail (-all) or neutral (?all).

DNS Lookup Count

Counts the number of DNS lookups required to evaluate the record. RFC 7208 limits this to 10; exceeding it causes evaluation to fail.

Qualifiers

Shows the qualifier prefix on each mechanism (+, -, ~, ?) so you know exactly what action a receiving server will take for each sender.

Circular Include Detection

Detects circular include references that would cause infinite loops during SPF evaluation and flags them immediately.

When should you use an SPF checker?

  • Before going live with a new domain
  • After adding a new email provider or marketing tool
  • When legitimate emails are landing in spam
  • When recipients report bounced or rejected mail
  • To verify that third-party senders are authorised
  • To check you are within the 10 DNS lookup limit
  • To audit your overall email authentication setup

Frequently Asked Questions

SPF stands for Sender Policy Framework. An SPF record is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain. Receiving mail servers check this record to decide whether to accept, flag or reject incoming messages.

Without an SPF record, anyone can send email pretending to be from your domain. This makes your domain vulnerable to spoofing and phishing attacks. It also causes legitimate emails to be more likely to end up in spam folders, since receiving servers have no way to verify the sender's identity.

Each mechanism in an SPF record can be prefixed with a qualifier that tells receiving servers what to do when a match is found. + (Pass) means the sender is authorised, this is the default when no qualifier is given. - (Fail) means the sender is not authorised and the message should be rejected. ~ (SoftFail) means the sender is probably not authorised but the message should be accepted and marked. ? (Neutral) means no policy is stated.

~all (SoftFail) instructs receiving servers to accept the message but mark it as suspicious. Most servers will deliver it to the inbox or junk folder. -all (Fail) is a hard reject, it tells receiving servers to refuse mail that does not match any mechanism in the record. For production domains, -all is the recommended setting once you are confident all legitimate senders are listed.

RFC 7208 limits SPF evaluation to a maximum of 10 DNS lookups. Mechanisms that trigger lookups include include:, a, mx, ptr and exists. If your record requires more than 10 lookups to fully evaluate, receiving servers must return a PermError, which can cause legitimate emails to be rejected. Use this checker to see exactly how many lookups your record requires.

No. A domain must have exactly one SPF record. If multiple TXT records starting with v=spf1 exist, receiving mail servers will return a PermError and SPF evaluation will fail entirely. If you use multiple email providers, you should combine all authorised senders into a single SPF record using include: mechanisms.

The include: mechanism tells the receiving server to look up the SPF record of another domain and treat it as part of your own. This is commonly used to authorise third-party email providers such as Google Workspace, Mailchimp or SendGrid. Each include: counts as one DNS lookup towards the limit of 10.

These are three complementary email authentication standards. SPF verifies that the sending server is authorised to send mail for the domain. DKIM adds a cryptographic signature to the email so the content can be verified as unaltered. DMARC builds on both SPF and DKIM and lets you define a policy for how receiving servers should handle messages that fail authentication. All three should be configured together for strong email security.

SPF alone is not enough to guarantee inbox delivery. Common reasons emails still land in spam despite having an SPF record include: a misconfigured record that does not cover all sending servers, exceeding the 10 DNS lookup limit, missing DKIM or DMARC records, poor sender reputation, or the email content itself being flagged. Use this checker to rule out SPF issues first.

A PermError (Permanent Error) means the SPF record is invalid and cannot be evaluated. Common causes are exceeding the 10 DNS lookup limit, having more than one SPF record published, or a syntax error in the record. A PermError is treated similarly to a fail by many receiving servers, so it is important to resolve these issues promptly.

An SPF record is a TXT record added to your domain's DNS. A basic record looks like v=spf1 include:_spf.google.com ~all. You start with the version tag v=spf1, then list your authorised senders using mechanisms like include:, ip4: or mx, and end with an all mechanism to define the default policy. Add it as a TXT record at the root of your domain in your DNS provider's control panel.

DNS changes typically propagate within a few minutes to a few hours, depending on the TTL (Time To Live) set on your DNS records and your DNS provider. In most cases you can expect changes to be visible globally within 24 to 48 hours, though it is often much faster in practice.

A circular include occurs when domain A includes domain B, which in turn includes domain A, creating an infinite loop. This causes SPF evaluation to fail with a PermError. This checker detects circular references and flags them so you can fix the offending record.

Enter your domain name into the SPF checker above. The tool will look up your domain's TXT records, identify the SPF record, parse all mechanisms and recursively resolve any include chains, giving you a full breakdown of your email authentication configuration in seconds.

When you enter a domain, the tool performs a DNS TXT lookup to find the SPF record. It then parses each mechanism and qualifier, and recursively resolves any include: directives to build a full picture of all authorised senders. It also checks for common issues such as multiple SPF records, circular includes and exceeding the RFC 7208 DNS lookup limit.

You should check your SPF record whenever you add or remove an email provider, set up a new marketing or transactional email tool, or notice a drop in email deliverability. It is also good practice to audit it periodically, third-party providers sometimes change their own SPF records, which can affect your lookup count or break authorisation without any action on your part.

Yes, this SPF checker is completely free. Enter any domain and get a full breakdown of its SPF record and mechanism tree instantly, with no account or sign-up required.
News & Articles

The Latest News and Articles

View All