SPF Record Validator

Instant SPF DNS record lookup & validation

ValidatorsFreeNo Signup
4.4(317 reviews)
All Tools

Loading tool...

About SPF Record Validator

Enter any domain to retrieve and analyze its SPF (Sender Policy Framework) DNS TXT record. The tool fetches TXT records via DNS over HTTPS, identifies the SPF record, parses every mechanism and qualifier (include, ip4, ip6, a, mx, redirect, all), counts DNS lookups against the 10-lookup limit, and provides a plain-English explanation. Flags common issues like too many DNS lookups, missing all mechanism, and permissive +all policies.

SPF Record Validator Features

  • Live DNS lookup via DoH
  • Mechanism parsing (include, ip4, ip6, a, mx, all)
  • DNS lookup counter (max 10)
  • Qualifier analysis (+, -, ~, ?)
  • Misconfiguration warnings
SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and domains are authorized to send email on behalf of your domain. A misconfigured SPF record can cause legitimate emails to land in spam or be rejected entirely. The SPF Record Validator instantly fetches any domain's SPF TXT record from DNS, parses every mechanism, counts DNS lookups (max 10 allowed by RFC 7208), and flags syntax errors and common misconfigurations. Powered by Cloudflare's free DNS over HTTPS API — no API key needed, runs entirely in your browser.

How to Use the SPF Record Validator

Validating an SPF record is fast and simple:

Enter a domain. Type any domain name into the input (e.g., google.com). The tool will query the domain's TXT records.

Click Validate. The tool sends a DNS over HTTPS request to Cloudflare and filters TXT records for one starting with v=spf1.

Review the analysis. Each SPF mechanism is listed with its qualifier, a plain-English explanation, and whether it counts toward the 10-lookup limit. The tool shows total DNS lookups used and warns if you're over the limit.

Key features:

  • Live DNS lookup — queries real DNS data in real time
  • Full mechanism parsing — include, ip4, ip6, a, mx, redirect, exists, all
  • DNS lookup counter — tracks usage against the RFC 7208 limit of 10
  • Qualifier analysis — explains +all vs ~all vs -all vs ?all

SPF Mechanisms Explained

An SPF record contains mechanisms that define which senders are authorized:

  • include: — References another domain's SPF record. Example: include:_spf.google.com authorizes Google's mail servers. Counts as a DNS lookup.
  • ip4: / ip6: — Authorizes a specific IPv4 or IPv6 address or CIDR range. Does NOT count as a DNS lookup.
  • a — Authorizes the domain's A/AAAA records. Counts as a DNS lookup.
  • mx — Authorizes the domain's MX record IPs. Counts as a DNS lookup.
  • redirect= — Replaces the entire SPF check with another domain's record. Counts as a DNS lookup.
  • exists: — Advanced mechanism that checks if an A record exists. Counts as a DNS lookup.
  • all — Catch-all mechanism. Qualifiers: -all (hard fail), ~all (soft fail), +all (allow all — dangerous), ?all (neutral).

Common SPF Issues & Fixes

Watch out for these frequent SPF problems:

  • Too many DNS lookups — SPF is limited to 10 DNS lookups per evaluation. Each include, a, mx, redirect, and exists counts as one. Exceeding 10 causes a PermError and email delivery failures. Fix: consolidate includes or replace them with ip4/ip6 ranges.
  • Using +all — The +all qualifier authorizes every IP on the internet to send as your domain. This completely negates SPF. Always use -all or ~all.
  • Missing all mechanism — Without an all at the end, there's no default action for unauthorized senders. Always end with -all (recommended) or ~all.
  • Multiple SPF records — A domain must have exactly one SPF TXT record. Multiple records cause a PermError. Merge them into a single record.
  • Record too long — DNS TXT records have a 255-character limit per string. Longer records must be split into multiple strings within a single TXT record. Most DNS providers handle this automatically.

Step-by-Step Instructions

  1. 1Enter a domain name (e.g., google.com) in the input field.
  2. 2Click 'Validate SPF' to fetch the DNS TXT records.
  3. 3View the raw SPF record retrieved from DNS.
  4. 4Review each parsed mechanism with its qualifier and explanation.
  5. 5Check the DNS lookup counter against the 10-lookup limit.
  6. 6Address any warnings or errors flagged by the validator.

SPF Record Validator — Frequently Asked Questions

What is the SPF 10-lookup limit?+

RFC 7208 limits SPF evaluation to 10 DNS lookups to prevent denial-of-service attacks via recursive SPF queries. Each 'include', 'a', 'mx', 'redirect', and 'exists' mechanism counts as one lookup. The 'ip4' and 'ip6' mechanisms do NOT count because they don't require DNS resolution. Exceeding 10 lookups results in a PermError, causing email delivery failures.

What's the difference between -all and ~all?+

'-all' is a hard fail — emails from unauthorized senders should be rejected. '~all' is a soft fail — unauthorized emails should be accepted but marked as suspicious (usually sent to spam). '-all' provides stronger protection and is recommended once you've confirmed all legitimate senders are included in your SPF record.

How does the SPF lookup work?+

The tool queries Cloudflare's public DNS over HTTPS API to fetch TXT records for the entered domain, then filters for the record starting with 'v=spf1'. The query runs entirely in your browser — no data is stored or sent to any third-party server beyond the DNS resolution.

More Validators Tools

Explore all 10 other validators tools available on Generatr

Avro Schema ValidatorCode Validator (HTML / CSS / JSON / XML)DMARC Record ValidatorEmail Regex CheckerIBAN ValidatorInvoice CheckerRouting Number ValidatorSocial Card / Open Graph ValidatorUUID ValidatorWSDL Validator
Share this tool: