SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. Our free SPF validator checks your record syntax, resolves all include chains, counts DNS lookups against the 10-lookup limit, and identifies potential deliverability issues.
Comprehensive analysis powered by Vysiro's scanning engines
Complete SPF record syntax validation
DNS lookup count verification (10-lookup limit)
Include chain resolution and flattening
IP address and CIDR range validation
Mechanism order analysis
Redundant mechanism detection
All/redirect qualifier check
SPF record flattening recommendations
Get results in seconds with our automated scanning process
Enter your domain name in the scanner
We query DNS for your SPF TXT record
Our engine recursively resolves all include mechanisms
We count total DNS lookups and check the 10-lookup limit
Each mechanism is validated for syntax and effectiveness
You get a detailed report with optimization suggestions
Everything you need to know about spf record validator
An SPF record is a DNS TXT record that specifies which IP addresses and mail servers are authorized to send email from your domain. Receiving servers check the SPF record to verify that incoming mail from your domain comes from an authorized source.
The SPF specification (RFC 7208) limits DNS lookups during SPF evaluation to 10. Each 'include', 'a', 'mx', 'ptr', 'exists', and 'redirect' mechanism counts as one lookup. Exceeding this limit causes SPF validation to fail with a permerror, potentially blocking legitimate emails.
Reduce DNS lookups by flattening include mechanisms to direct IP addresses, removing unused email services, consolidating multiple includes, and using Vysiro's SPF flattening feature. Replace include mechanisms with ip4/ip6 mechanisms where possible.
A typical SPF record looks like: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:203.0.113.0/24 -all. Start with v=spf1, list all authorized senders, and end with -all (hard fail) for maximum security.
The -all mechanism (hard fail) tells receivers to reject emails from unauthorized sources, while ~all (soft fail) marks them as suspicious but still delivers them. For maximum protection, use -all once you have confirmed all legitimate email sources are included.
No, you should have only one SPF record per domain. Having multiple SPF records causes a permerror and SPF validation will fail. If you need to authorize multiple services, combine them into a single record using include mechanisms.
Continue your domain security analysis
Analyze DMARC records and email authentication policies instantly.
Use toolCheck DKIM key existence, configuration, and selector validation.
Use toolLook up and analyze mail exchange records and mail routing.
Use toolGet an instant composite trust score (0-1000) across 29 security categories.
Use toolGet continuous monitoring, automated fixes, proof packs, and API access. Protect your domains with Vysiro's agentless attack-surface monitor.