About

Email deliverability hinges on trust. When an email server receives a message claiming to be from your domain, it consults the Sender Policy Framework (SPF) to verify the sender's identity. If this handshake fails, your critical communications end up in the spam folder, or worse, are rejected entirely.

This tool acts as a forensic scanner for your SPF records. Unlike standard lookup tools that rely on cached server-side queries, this system utilizes DNS-over-HTTPS (DoH) to fetch live records directly from authoritative sources via your browser. This ensures privacy and eliminates propagation delays.

The validator rigorously enforces RFC 7208 standards, paying special attention to the notorious 10-lookup limit. It recursively unpacks every include mechanism, mapping out the entire dependency tree to identify unauthorized senders, broken chains, or syntax errors that threaten your domain reputation.

Formulas

The core constraint of SPF is the lookup limit aimed at preventing Denial of Service attacks. The validator calculates the cost C using the following summation:

C = N∑i=1 cost(m_i)

Where m represents a mechanism and the condition for validity is:

C ≤ 10

If C exceeds this threshold, the SPF record returns a PermError, and emails may be rejected. Note that ip4 and ip6 mechanisms have a cost of 0, while mx, a, and include incur a cost of 1.

Reference Data

Mechanism	Syntax Example	DNS Cost	Description
Version	v=spf1	0	Mandatory start of the record. Identifies the text string as an SPF record.
IPv4	ip4:192.0.2.0/24	0	Authorizes a specific IPv4 address or CIDR range. No DNS lookup required.
IPv6	ip6:2001:db8::/32	0	Authorizes a specific IPv6 address or CIDR range. No DNS lookup required.
Include	include:_spf.google.com	1	Triggers a recursive lookup of another domain's SPF record. Counts towards the limit.
A Record	a or a:mail.example.com	1	Authorizes the IP address listed in the domain's A record.
MX Record	mx	1	Authorizes the IPs of the servers listed in the domain's MX records.
All	-all or ~all	0	The catch-all policy. - (Hard Fail), ~ (Soft Fail), ? (Neutral).
Redirect	redirect=example.net	1	Replaces the current record entirely with the target domain's record.

Frequently Asked Questions

The SPF specification (RFC 7208) limits the number of DNS lookups required to evaluate a record to 10. This prevents infinite loops and reduces load on DNS infrastructure. This includes mechanisms like `include`, `a`, `mx`, `ptr`, `exists`, and `redirect`. If your chain involves too many third-party vendors (e.g., Google + Mailchimp + Salesforce + Zendesk), you will easily breach this limit. The solution is often "SPF Flattening" - converting dynamic includes into static IP addresses.

`~all` (Soft Fail) tells receiving servers that if the IP isn't listed, they should accept the email but mark it as suspicious. This is safer for testing. `-all` (Hard Fail) explicitly tells servers to reject unauthorized email. You should aim for `-all` once you are confident your list is complete to prevent spoofing.

A "Void Lookup" occurs when an SPF mechanism references a domain that does not exist or has no DNS records (returns NXDOMAIN). RFC 7208 dictates that if a record generates more than two void lookups, it should fail. This often happens when a vendor cancels a service but you forget to remove their `include` from your DNS.

No. This tool uses "DNS over HTTPS" (DoH) to query public DNS resolvers (Cloudflare). It can only see records that are propagated to the public internet. It cannot validate split-horizon DNS or private intranet records.

It is a violation of the protocol to have multiple TXT records starting with `v=spf1` on the same domain. If this happens, receivers will return `PermError` and likely reject your email. You must merge them into a single string.

SPF Record Checker

Recursive Lookup Tree

About

Formulas

Reference Data

Frequently Asked Questions