Speak to an Email Deliverability Consultant FOR FREE

SPF Lookup and SPF Record Checker

Q: What is SPF, and what does an SPF record do?

SPF (Sender Policy Framework) is an email authentication protocol published as a DNS TXT record. The SPF record lists which IP addresses and mail servers are authorized to send email for your domain. Receiving servers check this record to verify emails are coming from legitimate sources.

Q: What is SPF lookup used for?

An SPF lookup retrieves and validates your domain's SPF record from DNS. It checks syntax, counts DNS lookups, identifies configuration errors, and verifies whether specific IPs are authorized. Use it to catch authentication problems before they break email delivery.

Q: How does an SPF record checker help?

An SPF record checker simulates what receiving mail servers do when your emails arrive. It shows whether your SPF is configured correctly, warns when you're approaching the 10-lookup limit, and flags syntax errors that would cause authentication to fail.

Q: How do I check SPF records for my domain?

Enter your domain name in the SPF lookup tool above. Click 'Check SPF Record.' Results appear instantly — validation status, full SPF record string, DNS lookup count, and detailed error explanations.

Q: Can a domain have more than one SPF record?

No. DNS allows only one SPF record per domain. Publishing multiple SPF records causes authentication to fail — receiving servers see conflicting policies and reject both. Combine all authorized sources into a single record.

Q: What is an SPF PermError?

SPF PermError (permanent error) occurs when your record exceeds the 10-lookup limit or has syntax errors. Mail servers treat PermError the same as having no SPF record at all. Authentication fails for every email — even legitimate ones.

Q: What are DNS lookup and void lookup limits?

SPF enforces a maximum of 10 DNS lookups per evaluation. Mechanisms that count toward this limit: include, mx, a, exists, and redirect. Void lookups (mechanisms returning no data) indicate misconfigured or deleted domains. Too many voids suggest broken third-party includes.

Q: How does SPF impact email deliverability?

Receiving servers check SPF during the SMTP handshake. Failed SPF authentication flags your email as potentially spoofed — it's either sent to spam or rejected outright. Failed SPF also damages sender reputation, causing future emails (even authenticated ones) to be deprioritized.

Q: Do I need SPF automation or a hosted SPF service?

If you exceed the 10-lookup limit and can't remove unused sources, consider hosted SPF or SPF automation. These services flatten your record (replace includes with direct IPs) and monitor for changes — maintaining the flattened record as ESPs update their infrastructure.

Validate Your SPF Record and Find Authentication Errors

Run a free SPF record check on any domain — our SPF lookup tool analyzes your DNS configuration, identifies errors, and shows exactly what's failing authentication.

Enter the domain to check SPF records

Trusted by 1000+ companies

Check SPF Record for Any Domain in Seconds

Enter a domain name to run an SPF lookup. Optionally, add an IP address to verify it's authorized by the SPF record. The SPF record checker returns:

Whether an SPF record exists in your DNS zone

DNS lookup count and void SPF lookup warnings

A complete SPF record string with all mechanisms

Validation status (valid, syntax error, or PermError)

Detailed error breakdown when issues are detected

Most receiving servers perform this exact SPF record check when your emails arrive. Run it before you send — catch problems before they break deliverability.

What Our SPF Record Checker Tests

The SPF lookup tool runs four diagnostics on your domain's SPF record:

Free email warmup➔

SPF Record Presence and Syntax

Verifies a single SPF TXT record exists in DNS (multiple records invalidate authentication). Scans for syntax errors — missing spaces after v=spf1, typos in mechanisms, incorrect delimiters, malformed qualifiers. SPF parsers are strict. One syntax error makes the entire record unreadable. Receiving servers ignore it and treat your domain as having no SPF at all.

DNS Lookup and Void Lookup Limits

Counts mechanisms that trigger DNS queries: include, mx, a, exists, and redirect. SPF protocol enforces a maximum of 10 DNS lookups per evaluation. If it exceeds 10, email providers return PermError and stop processing. The checker also counts void lookups (mechanisms that return no data). Too many voids indicate misconfiguration — usually deleted domains or broken third-party includes.

Detected Tags and Mechanisms

Lists every mechanism in your SPF record and what it authorizes, such as IP ranges (ip4, ip6), servers from A or MX records, third-party domains via include, custom logic via exists, and policy delegation via redirect. See exactly which senders are authorized (and which ones you forgot to remove after switching ESPs).

IP Authorization Test

Supply an IP address, and the SPF record checker evaluates whether that IP passes or fails your SPF record. Shows the exact mechanism that matched (or should have matched). Use this to test new mail servers before you send production email through them.

Figuring Out What SPF Lookup Results Mean

The SPF record check classifies issues into categories so you know what broke and how to fix it.

Valid SPF Record

Your record exists, syntax is correct, you're under the 10-lookup limit, and all mechanisms are properly configured. This record authorizes Google Workspace and a specific IP address. Clean configuration — authentication will pass.

Syntax and Formatting Errors

Typos, missing spaces, wrong delimiters, and incorrect version tags. These render the entire record unparsable. As a result, receiving servers can't read your record. They treat it as missing. All authentication fails.

Configuration Errors

The syntax is valid, but you're misusing the mechanisms in your infrastructure. Either you're authorizing too much (security risk) or missing legitimate senders (authentication fails).

Resource Limitation Issues

Your SPF record exceeds protocol limits — usually too many DNS lookups. As a result, email providers stop processing your SPF entirely. Every email fails authentication — including legitimate sends.

Authorization and Third-Party Problems

Missing sending sources or broken includes. Your SPF check fails because of someone else's broken record. You won't know unless you test the included domains separately.

SPF Mechanisms That Authorize Sending Sources

SPF records start with v=spf1 and end with an all qualifier — mechanisms in between define authorized senders.

Mechanism	What It Does	Syntax Example	DNS Lookups
v	Protocol version (always spf1)	v=spf1	0
ip4	Authorizes IPv4 addresses or CIDR ranges	ip4:192.168.0.1 ip4:10.0.0.0/24	0
ip6	Authorizes IPv6 addresses or ranges	ip6:2001:db8::1	0
a	Authorizes IPs in your domain's A records	a or a:example.com	1 per domain
mx	Authorizes IPs in your domain's MX records	mx or mx:example.com	1 per domain
include	Delegates authorization to another domain's SPF policy	include:_spf.google.com	1 per include
exists	Passes if an A record exists for the specified domain	exists:%{i}.example.com	1
redirect	Replaces your entire SPF policy with another domain's policy	redirect=example.com	1
ptr	Checks reverse DNS hostname (deprecated, RFC 7208)	ptr	1 per PTR
all	Catch-all for non-matching sources (always last)	-all ~all ?all	0

SPF Qualifiers and Policy Enforcement

Qualifiers control what receiving servers do when a source matches (or doesn't match) your SPF record.

Qualifier	Name	What It Means	When to Use
+	Pass	Explicitly authorized (default)	Rarely written — implied by default
-	Fail (Hard Fail)	Reject the email immediately	After testing confirms all senders are authorized
~	Soft Fail	Accept, but mark as suspicious	During initial setup and testing
?	Neutral	No policy (same as no SPF)	Don't use — provides no protection

Start with ~all while you verify every legitimate sender is in your record. Switch to -all for stronger protection once testing confirms authentication passes.

SPF, DKIM, and DMARC Checks Together

SPF is one piece of email authentication — complete protection requires SPF, DKIM, and DMARC working together.

Run an SPF lookup to verify your SPF record. Then check DKIM and DMARC to ensure your complete authentication stack is configured correctly.

If you’ve already fixed SPF but are still hitting spam, then your problem is bigger than one DNS record. Book a free email deliverability consultation, and we'll:

Audit your full setup (SPF, DKIM, DMARC)

Check out your domain for IP reputation and email blacklisting

Provide you with a detailed breakdown of what needs to be changed in your content

Let’s fix what's breaking your inbox placement.

Frequently asked questions
about our FREE SPF Generator

Here are some commonly asked questions about SPF lookup:

What is SPF, and what does an SPF record do?

What is SPF lookup used for?

How does an SPF record checker help?

How do I check SPF records for my domain?

Can a domain have more than one SPF record?

What is an SPF PermError?

What are DNS lookup and void lookup limits?

How does SPF impact email deliverability?

Do I need SPF automation or a hosted SPF service?