SPF Record Checker — Verify Your SPF Setup
Check if your domain has a valid SPF record. Instant lookup, plain-English analysis, score out of 100.
SPF Record Checker
Enter your domain to look up its SPF record, analyse the configuration and get a health score with fix recommendations.
What Is an SPF Record?
An SPF record is a DNS TXT record that tells the world which mail servers are allowed to send email from your domain. When someone receives an email claiming to be from you, their mail server looks up your SPF record and checks whether the sending IP address is on the list.
Think of it as a guest list for your domain's email. If a server is on the list, the message passes SPF. If it is not on the list, the receiving server knows something is wrong — the message may be spoofed.
How SPF Works — Step by Step
- A sender sends an email from your domain
- The receiving server extracts the envelope sender (Return-Path domain)
- The receiver queries DNS for TXT records on that domain
- It finds the record starting with
v=spf1 - The sending IP is compared against the SPF mechanisms (include, ip4, a, mx)
- Result: Pass, SoftFail, Fail, or Neutral
SPF Record Syntax Explained
| Mechanism | Purpose | Example |
|---|---|---|
| v=spf1 | Version tag — must be at the start | v=spf1 |
| include: | Authorise another domain's SPF record | include:_spf.google.com |
| ip4: | Authorise a specific IPv4 address or range | ip4:192.0.2.0/24 |
| ip6: | Authorise a specific IPv6 address or range | ip6:2001:db8::/32 |
| a | Authorise the domain's A record IP | a |
| mx | Authorise the domain's MX record IPs | mx |
| -all | Hard fail — reject unauthorised senders | -all (recommended) |
| ~all | Soft fail — accept but flag as suspicious | ~all (weaker) |
Why Your Domain Needs an SPF Record
Deliverability Impact
Without SPF, your emails are more likely to land in spam. Gmail, Outlook and Yahoo use SPF as a first-pass authentication filter. Since February 2024, Gmail requires valid SPF for all senders sending more than 5,000 messages per day. Even low-volume senders benefit — SPF is table stakes for inbox placement.
Spoofing Protection
SPF prevents unauthorised servers from sending email that appears to come from your domain. Without it, an attacker can use any mail server to send messages with your domain in the Return-Path. This is used in phishing, business email compromise and brand impersonation.
SPF and DMARC Alignment
SPF is one of two authentication mechanisms that DMARC relies on — the other is DKIM. For DMARC alignment, the domain in the Return-Path must match the domain in the visible From header. SPF alone checks the Return-Path but does not enforce this match — DMARC does.
Common SPF Mistakes and How to Fix Them
Too Many DNS Lookups (10-Lookup Limit)
Every include:, a:, mx: and redirect= in your SPF record counts as a DNS lookup. The limit is 10. When you exceed it, the entire SPF check returns PermError — not just the mechanisms past the limit. Fix: flatten nested includes into ip4: ranges where possible, or use an SPF flattening service.
Using +all Instead of -all or ~all
+all means "allow any server on the internet to send email from my domain." This is functionally the same as having no SPF record at all. Fix: use -all (hard fail) for maximum protection, or ~all (soft fail) if you are still identifying all legitimate senders.
Forgetting to Include Third-Party Senders
Your marketing platform, CRM, helpdesk, transactional email service and even your website's contact form may all send email from your domain. Each needs an include: directive in your SPF record. Fix: audit every service that sends email on your behalf and add the appropriate include.
Multiple SPF Records on the Same Domain
The SPF specification allows only one TXT record starting with v=spf1 per domain. If you have two, the SPF check fails with PermError. This commonly happens when switching email providers and forgetting to remove the old record. Fix: merge all mechanisms into a single record.
How to Set Up SPF for NexusProMail
- Log in to your DNS provider (Cloudflare, Route 53, GoDaddy, etc.)
- Add or update a TXT record for your root domain with NexusProMail's include directive
- Wait 1-4 hours for DNS propagation
- Use the checker above to verify the record is published correctly
Complete Your Email Authentication
SPF Record FAQ
What is an SPF record?
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. It helps receiving servers decide whether an incoming message is legitimate or spoofed.
How do I check my SPF record?
Enter your domain in the checker above. It performs a DNS lookup for TXT records containing v=spf1, analyses the mechanisms and modifiers, and gives you a configuration health score with specific warnings and recommendations.
What happens if I don't have an SPF record?
Without SPF, any mail server can send email pretending to be from your domain. Most inbox providers (Gmail, Outlook, Yahoo) will either reject these messages or send them to spam. Since February 2024, Gmail requires a valid SPF record for all bulk senders.
Can I have multiple SPF records?
No. The SPF specification requires exactly one SPF record per domain. If you have two TXT records starting with v=spf1, the entire SPF check fails with a PermError. Merge all your authorised senders into a single record.
What does ~all vs -all mean in SPF?
"-all" (hard fail) tells receivers to reject messages from unauthorised IPs. "~all" (soft fail) tells receivers to accept but mark as suspicious. "-all" provides stronger protection. "+all" allows any server to send as your domain — never use this.
How many DNS lookups can an SPF record have?
SPF is limited to 10 DNS lookups. Each "include:", "a:", "mx:" and "redirect=" directive counts as one lookup. Nested includes in the targets count too. Exceeding 10 lookups causes the entire SPF check to fail — not just the mechanisms beyond the limit.
Does SPF alone prevent email spoofing?
No. SPF checks the envelope sender (Return-Path), not the visible From header. An attacker can pass SPF with their own domain while spoofing your domain in the From header. You need DMARC with SPF alignment to close this gap.