🔒 SPF Lookup

Instantly retrieve and parse the SPF (Sender Policy Framework) record for any domain. View all mechanisms, qualifiers, DNS lookup count, and syntax validation — free, unlimited, browser-only.

Examples: gmail.com   microsoft.com   github.com
🕒 Recent Lookups
No recent lookups yet.

📚 What Is an SPF Record?

SPF (Sender Policy Framework), defined in RFC 7208, is an email authentication protocol that lets domain owners publish a list of authorized sending IP addresses in DNS as a TXT record. When a receiving mail server gets a message claiming to be from user@example.com, it queries DNS for example.com's SPF record and checks whether the sending IP is authorized.

SPF prevents email spoofing — attackers forging the sender address to impersonate legitimate domains. Without SPF, anyone can send email claiming to be from your domain. With a strict SPF policy (-all), unauthorized senders are blocked outright.

🔄 SPF Mechanisms Explained

MechanismDescriptionDNS Lookup?Example
ip4:Authorize a single IPv4 or CIDR rangeNoip4:203.0.113.0/24
ip6:Authorize a single IPv6 or CIDR rangeNoip6:2001:db8::/32
a:Authorize the A record IPs of a hostnameYesa:mail.example.com
mx:Authorize the A records of MX hostsYesmx:example.com
include:Delegate to another domain's SPF recordYesinclude:_spf.google.com
redirect=Replace entire policy with another domain's SPFYesredirect=_spf.example.net
exists:Match if the given hostname resolvesYesexists:%{i}.spf.example.com
ptr:Match if rDNS hostname ends with given domain (deprecated)Yesptr:example.com
allAlways match — used as final catch-allNo-all

🔑 SPF Qualifiers

+ Pass (default)
The sending IP is authorized. Email should be accepted. + is the default qualifier and is usually omitted. Example: +ip4:203.0.113.1 or just ip4:203.0.113.1.
- Fail (Hardfail)
The sending IP is NOT authorized. The receiving server should reject the message. Best practice for security. Example: -all at end of record.
⚠️
~ SoftFail
The IP is not authorized but the domain owner asks servers to accept and mark. Used during transitions. Gmail typically puts softfail messages in spam. Example: ~all.
? Neutral
No assertion about authorization. Functionally equivalent to having no SPF policy — not recommended for production use. Example: ?all.

🛡️ Use Cases for SPF Lookup

📧
Email Deliverability Troubleshooting
Emails going to spam? Check SPF first. A missing, misconfigured, or too-permissive SPF record is a top cause of deliverability failures and spam classification.
📊
DNS Lookup Count Audit
SPF is limited to 10 DNS lookups per evaluation. Exceeding this causes PermError — which looks like SPF fail to receiving servers. Use this tool to count lookups and identify which includes to flatten.
🔍
Security Research / Phishing Simulation
Security teams check target domain SPF policies to understand email controls. A weak ?all or missing SPF makes a domain trivially spoofable — an immediate red flag in any email security audit.
🔄
Email Provider Migration
When switching from one email provider to another, update SPF includes and verify with this tool before updating MX records. Use our MX Lookup tool to confirm MX records are also correct.

🔗 More Ways to Investigate Email Authentication

For full email server configuration, check MX Lookup. For complete domain DNS investigation, use DNS Lookup. For email address validation including SPF check, use Email Checker. Learn the complete email authentication picture in our blog: SPF Record Complete Guide. Also see What Is an IP Address? to understand the IPs SPF authorizes.

FAQ

What is an SPF record? +
SPF (Sender Policy Framework) is an email authentication protocol. It lets domain owners publish authorized sending IPs in DNS as a TXT record. Receiving servers verify the sending IP against this list to detect spoofing.
What does v=spf1 mean? +
v=spf1 is the required version tag at the start of every SPF record. It tells DNS resolvers this TXT record is an SPF policy.
What is the difference between ~all and -all? +
~all (softfail) = accept but mark suspicious. -all (hardfail) = reject unauthorized senders outright. Security-conscious domains use -all. Avoid ?all (neutral) — it disables enforcement.
What is the SPF 10 DNS lookup limit? +
RFC 7208 limits SPF to 10 DNS lookups per evaluation. Each a:, mx:, include:, and redirect= triggers a lookup. Exceeding 10 causes PermError — legitimate emails may fail SPF. Use ip4:/ip6: for static IPs.
What is SPF flattening? +
SPF flattening replaces include: mechanisms with the actual ip4:/ip6: ranges they resolve to, reducing DNS lookups. Downside: you must manually update when your provider changes their IP ranges.
Can a domain have multiple SPF records? +
No — RFC 7208 requires exactly one SPF TXT record per domain. Multiple v=spf1 records cause PermError and email may be rejected or treated as unauthenticated.
What is the difference between SPF, DKIM, and DMARC? +
SPF validates the sending IP. DKIM adds a cryptographic signature verified against a public key in DNS. DMARC ties both together, letting owners specify actions (none/quarantine/reject) when SPF or DKIM fails.
What does SPF pass mean? +
SPF pass means the sending IP matched an authorized mechanism. The email appears to come from an IP the domain owner approved — the desired outcome.
What does SPF fail mean? +
SPF fail (hardfail, -all) means the sending IP is not authorized. Depending on DMARC policy and the receiving server's configuration, the email may be rejected outright.
What is SPF softfail? +
SPF softfail (~all) means the sending IP is not authorized, but the domain owner recommends accepting and marking as suspicious. Gmail typically delivers softfail email to spam.
What is the include: mechanism? +
include: delegates SPF to another domain's record. include:_spf.google.com adds all Google authorized sending IPs to your policy. Each include counts as one DNS lookup toward the 10-lookup limit.
What is an SPF redirect modifier? +
redirect= replaces the entire SPF evaluation with another domain's SPF policy. Unlike include:, it must be the only mechanism and replaces all other mechanisms. Used when a third party manages your email policy entirely.
How do I add an SPF record? +
In your DNS panel, add a TXT record at @ (root domain) with value like: v=spf1 include:_spf.google.com -all. Replace the include with your email provider's SPF include. Changes take effect after TTL expires (typically 1 hour).
How do I check SPF with dig? +
Run: dig TXT example.com +short | grep spf (Linux/Mac) or Resolve-DnsName example.com -Type TXT (Windows). This tool replicates that query in your browser with full parsing.
Is SPF Lookup free? +
Yes — completely free, unlimited lookups, no sign-up needed. Queries go through Google's public DNS-over-HTTPS resolver and results appear instantly.