SPF Record Checker

Look up a domain's SPF record, count DNS lookups against the RFC 7208 limit of 10, and identify weak or invalid policies.

What we check

• Record presence — does the domain publish an SPF record at all?
• Single record — RFC 7208 forbids more than one v=spf1 record per domain; multiple records cause receivers to reject SPF outright.
• DNS lookup count — every include, a, mx, ptr, exists and redirect mechanism counts toward the 10-lookup limit. Past 10, receivers return PermError and your SPF effectively disappears.
• Final qualifier — -all (hard fail), ~all (soft fail), ?all (neutral), or +all (permissive — equivalent to no SPF).

Common findings and what they mean

Too many DNS lookups

This is the single most common SPF problem in 2026. Each Google Workspace include, each Microsoft 365 include, each third-party ESP include burns 1-3 lookups apiece. Past 10, receivers reject your SPF as PermError and your mail starts failing alignment. Fix: collapse third-party includes you no longer use, or flatten the SPF record to literal ip4:/ip6: mechanisms.

Weak policy (~all, ?all, +all)

~all tells receivers "soft-fail unauthorized senders" — typically scored as a spam signal but not rejected. ?all means "neutral" — receivers ignore SPF outcome entirely. +all means "any sender is allowed" — equivalent to no SPF and a known spammer pattern. Move to -all once you have inventoried every legitimate sender.

Missing SPF

Without SPF, mail receivers can't tell whether a message claiming to come from your domain actually originated on an authorized IP. Gmail downranks unauthenticated mail. Microsoft 365 has been hardening checks throughout 2026.