SPF Record Checker
Check a domain SPF TXT record, break down every mechanism, include and IP range, and read the -all, ~all, ?all or +all policy token.
This SPF record checker pulls the SPF TXT record for any domain and shows you exactly which servers it lets send mail. Type a domain and it splits the record into its mechanisms, lists the includes from outside services like Google or your newsletter platform, pins down the ip4 and ip6 ranges you trust, and reads the token at the end that actually decides things: -all is strict, ~all soft fails, ?all is neutral and weak, and +all you almost never want. It scores the result, flags a missing record, duplicate records and the unsafe +all, and warns when too many includes approach the ten DNS lookup limit from RFC 7208 that quietly returns permerror.
Queries run through the PeopleAreGeek lookup service. We log nothing.
SPF Record Checker: analyze SPF TXT records, includes and policy
Type a domain. You'll see its SPF record and which servers it lets send mail. The tool pulls apart the mechanisms, the includes, the IP ranges, and the bit at the end that actually decides things (the -all, ~all, ?all or +all). Honestly that last token matters more than people expect.
What is an SPF record?
It's a TXT record. Inside it, you list the mail servers that get to send email for your domain, and that's basically the whole idea. When a message comes in, the receiving server checks the sender against your list. Doesn't match? That's a signal something's off, maybe spoofed, maybe just misconfigured. SPF won't stop every forged message on its own, but it cuts down the easy ones.
How to read SPF results
- include shows up when some outside service (think your newsletter platform, or Google) sends mail on your behalf.
- ip4 and ip6 pin down the exact address ranges you trust.
- -all is the strict one. ~all is softer, it flags but doesn't hard-reject. +all you almost never want, it basically tells the world anyone can send as you.
Frequently asked questions
Can a domain have multiple SPF records?
One. You want one. The spec is pretty firm here, and if a domain ends up with two SPF records, a lot of receivers just throw up their hands and treat the result as broken. So merge them into a single line.
Does SPF protect the visible From address?
Not really, and this trips people up constantly. SPF only looks at the envelope sender, the address used during delivery, which isn't the From line your recipients actually read. To tie the check to that visible From domain, you need DMARC sitting on top. I'd say that's the single most misunderstood thing about SPF.
What does the policy token at the end mean?
It is the part that actually decides things. -all is the strict one, a hard fail for any server not on your list. ~all is softer, it flags but does not hard-reject, and is common during a migration. ?all is neutral and weak, and +all you almost never want because it tells the world anyone can send as you.
Why do too many includes break SPF?
Each include and a few other mechanisms cost a DNS lookup, and RFC 7208 caps the total at ten. Go over and receivers return permerror, which can quietly fail your mail. The checker counts the includes so you can flatten or trim before you approach that wall.