SysAdmin Tools

An SPF lookup retrieves and analyses the Sender Policy Framework (SPF) TXT record for a domain — the DNS record that specifies which mail servers are authorised to send email on behalf of that domain. SPF is the first line of defence against email spoofing and phishing, and a correctly configured SPF record is required by Google, Microsoft, and other major email providers to avoid messages being marked as spam.

When a receiving mail server accepts an incoming email, it checks the SPF record of the sending domain. If the sending mail server's IP address is listed in the SPF record, the message passes SPF authentication. If it is not listed, the message fails — and depending on the domain's DMARC policy, may be rejected or quarantined.

Our SPF lookup tool queries the live DNS record for any domain, displays the raw SPF string, and breaks it down into its component mechanisms: include statements, ip4 and ip6 ranges, redirect modifiers, and the all qualifier. Whether you are setting up a new email provider, auditing an existing configuration, or troubleshooting delivery failures, this tool gives you an immediate view of what is published.

SPF records are limited to 10 DNS lookups (mechanisms that trigger additional DNS queries, such as include: and a:). Exceeding this limit causes SPF evaluation to fail permanently, even if the sending server is authorised. This tool helps you spot records that are approaching or have exceeded the DNS lookup limit.

How to Use the SPF Lookup Tool

  1. 1

    Enter the domain name

    Type the domain you want to check — for example, example.com. Use the root domain, not a subdomain. SPF records are always published at the root of the sending domain.

  2. 2

    Click Lookup

    The tool queries the TXT records for the domain and extracts the SPF record — the one starting with v=spf1. Results appear within seconds.

  3. 3

    Review the raw SPF string

    The full SPF record is displayed so you can verify exactly what is published. The tool also breaks down each mechanism to make it easier to read.

  4. 4

    Check for issues

    Look for the all qualifier at the end — ~all (softfail) or -all (hardfail) are recommended. A missing SPF record or +all (pass everything) is a significant misconfiguration.

Understanding SPF Record Results

An SPF record is a TXT record that begins with v=spf1 followed by a series of mechanisms. Each mechanism defines a set of IP addresses or hostnames that are authorised to send email. The mechanisms are evaluated left to right until a match is found. The most common mechanisms are: include: (delegate to another domain's SPF record — counts as one DNS lookup), ip4: and ip6: (explicitly list IP addresses or CIDR ranges — do not count towards the DNS lookup limit), a: (authorise the domain's A record IP), and mx: (authorise the domain's MX record IPs). The record ends with an all qualifier: -all (hardfail — reject unauthorised senders), ~all (softfail — accept but mark), ?all (neutral), or +all (pass all — never use this).
FieldDescription
v=spf1Version tag — must be the first element. Identifies this TXT record as an SPF record.
include:Delegates SPF evaluation to another domain. Each include: counts as one DNS lookup.
ip4: / ip6:Explicitly authorises an IPv4 or IPv6 address or CIDR range. Does not count towards the DNS lookup limit.
a: / mx:Authorises the IPs from the domain's A or MX records. Each counts as one DNS lookup.
redirect=Replaces the SPF record with the SPF record of another domain. Used to centralise SPF management.
all qualifier-all (hardfail), ~all (softfail), ?all (neutral), +all (pass all). Controls what happens to senders not matching any mechanism.

Common SPF Lookup Use Cases

Verify SPF record after adding a new mail service

When you add a new email sending service (CRM, marketing platform, transactional email), you need to add its include: mechanism to your SPF record. Use SPF lookup to confirm the new mechanism is published and the DNS lookup count stays under 10.

Diagnose emails being marked as spam

If legitimate email from your domain is landing in spam folders, SPF failure is often the cause. Run an SPF lookup to confirm the sending server's IP or domain is covered by your SPF record. Missing or incorrect mechanisms cause SPF to fail, which triggers spam filters.

Audit SPF before a domain migration

Before migrating email to a new provider, verify the existing SPF record. Document all authorised senders so the new SPF record on the new provider includes all required mechanisms and nothing is accidentally dropped.

Check DNS lookup count

SPF is limited to 10 DNS lookups. Domains with many include: mechanisms (multiple marketing platforms, CRMs, security tools) frequently exceed this limit, causing SPF to return PermError. SPF lookup helps you count mechanisms that trigger DNS queries before they cause delivery failures.

SPF Lookup — Frequently Asked Questions

What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorised to send email from your domain. Receiving mail servers check the SPF record when they receive email claiming to be from your domain. If the sending server is not in the SPF record, the message fails SPF authentication and may be rejected or marked as spam.
How do I check the SPF record for a domain?
Enter the domain in the SPF lookup tool above and click Lookup. The tool fetches the TXT records for the domain and displays the SPF record — the one starting with v=spf1. You can also check via terminal: dig example.com TXT. Look for the line starting with "v=spf1" in the results.
What does -all vs ~all mean in SPF?
-all (hardfail) tells receiving servers to reject email from senders not listed in the SPF record. ~all (softfail) tells them to accept but mark the message. Most security experts recommend -all for domains that have DMARC with p=reject or p=quarantine already configured, and ~all as a safe starting point. +all means accept everything — never use it, as it effectively disables SPF protection.
What is the SPF 10 DNS lookup limit?
The SPF specification limits evaluation to 10 DNS lookups — each include:, a:, mx:, exists:, and redirect= mechanism counts as one lookup. If evaluation requires more than 10 DNS queries, SPF returns PermError (permanent error), causing SPF to fail for all senders regardless of whether they are authorised. This commonly happens when domains include many third-party mail services.
Why does my email fail SPF even though I have an SPF record?
Common causes: (1) The sending server's IP is not covered by any mechanism in your SPF record — check if the email service is missing from your include: list. (2) The SPF record has exceeded 10 DNS lookups — add more ip4: ranges instead of include: references. (3) There are multiple SPF records for the domain — only one v=spf1 TXT record is allowed; merge them into one.
Can a domain have more than one SPF record?
No. The SPF specification allows only one SPF record per domain (one TXT record starting with v=spf1). If a domain has multiple SPF records, SPF evaluation returns PermError. All authorised senders must be listed in a single SPF record. Use the SPF lookup tool to check how many v=spf1 TXT records are published for your domain.
What is SPF flattening?
SPF flattening is the practice of resolving all include: mechanisms to their underlying IP addresses and replacing them with ip4: and ip6: ranges. This eliminates DNS lookups and prevents PermError from the 10-lookup limit. The downside is that when the included service changes its IP ranges, your flattened SPF record goes out of date. Some services offer automated SPF flattening with macros to keep records current.
Is SPF enough to protect my domain from email spoofing?
SPF alone is not enough. SPF only checks the envelope sender (the MAIL FROM address used during SMTP), not the From: header that users see. A spoofer can pass SPF using their own domain while spoofing your domain in the visible From: header. DMARC ties SPF (and DKIM) results to the visible From: header, so you need all three — SPF, DKIM, and DMARC — for complete email authentication.
What does SPF "include:" do?
An include: mechanism tells the receiving server to also check the SPF record of another domain. For example, include:_spf.google.com authorises all Google Workspace mail servers to send from your domain. Each include: counts as one DNS lookup. If the included domain's SPF record itself has include: statements, those count towards your 10-lookup limit too.
How do I add a new email service to my SPF record?
Find the SPF include: mechanism provided by your email service (usually in their setup documentation). Add it to your existing SPF record before the all qualifier. For example, if your current record is "v=spf1 include:_spf.google.com ~all" and you add Mailchimp, it becomes "v=spf1 include:_spf.google.com include:servers.mcsv.net ~all". Then use SPF lookup to confirm the new record is published.

Related Tools

DKIM Lookup

Check the DKIM public key that authenticates email signatures alongside SPF.

DMARC Lookup

Review the DMARC policy that ties SPF and DKIM results to the visible From header.

MX Lookup

Check mail server records to verify the full email configuration for a domain.

DNS Lookup

Query all TXT records for the domain to see SPF alongside other DNS configuration.