SPF Check
free/v1/security/spfParses and validates SPF (Sender Policy Framework) records per RFC 7208. Checks for syntax errors, counts DNS lookup mechanisms against the 10-lookup limit (max 10 per RFC 7208), evaluates the all-qualifier policy strictness, detects multiple SPF records (invalid per spec), warns when both redirect and all coexist, validates include domain syntax and CIDR bounds, and identifies common misconfigurations like overly permissive policies, excessive includes, deprecated ptr mechanisms, or missing records.
What It Does
Retrieves SPF TXT records from DNS, validates only one SPF record exists (multiple records cause PermError), parses the SPF syntax tree, expands include/redirect mechanisms, counts DNS lookup mechanisms (max 10 per RFC 7208), identifies authorized sending IPs and domains, and evaluates the default policy qualifier (+all, ~all, -all, ?all). Returns a security score (0-100), letter grade, and specific recommendations. Detects issues like exceeding the 10-lookup limit (which causes PermError), redirect/all coexistence (RFC 7208 §6.1), invalid include domain syntax, using deprecated ptr mechanism (slow and unreliable), invalid and overly broad ip4/ip6 CIDR ranges, and SPF macro syntax (advanced feature per RFC 7208 §7).
Why It's Useful
SPF is the foundation of email authentication (RFC 7208) and is required for proper DMARC enforcement. Misconfigured SPF records are the #1 cause of email deliverability issues — exceeding the 10 DNS lookup limit silently causes PermError, and overly permissive policies (+all, ?all) leave domains vulnerable to spoofing. Google, Yahoo, and Microsoft now require valid SPF for bulk senders (5,000+ emails/day) as of 2024-2025, with non-compliant emails facing rejection.
Use Cases
Email Deliverability Troubleshooting
Emails are being rejected or landing in spam. Verify the SPF record is syntactically valid, under the 10-lookup limit, and uses an appropriate policy qualifier.
Identify and fix SPF issues causing email rejection or spam classification.
Email Security Audit
Audit organization domains to ensure SPF records use strict policies (-all) and don't include unnecessary third-party services that expand the attack surface.
Reduce email spoofing risk with properly hardened SPF configuration.
Third-Party Sender Authorization
After adding a new email marketing platform (Mailchimp, SendGrid, HubSpot), verify the SPF record includes the new sender and hasn't exceeded the DNS lookup limit.
Ensure marketing emails authenticate properly after platform changes.
Bulk Sender Compliance
Verify SPF compliance with Google/Yahoo/Microsoft bulk sender requirements (2024-2025) that mandate valid SPF records for domains sending 5,000+ emails/day. Non-compliant emails face rejection starting November 2025 (Gmail) and May 2025 (Outlook).
Maintain email deliverability to Gmail, Yahoo, and Outlook recipients.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to check SPF records forExample: google.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
spf.found | boolean | Whether an SPF record exists |
spf.record | string | Raw SPF record value |
spf.valid | boolean | Whether the SPF record is syntactically valid |
spf.version | string | SPF version (v=spf1) |
spf.mechanisms | array | Parsed SPF mechanisms with qualifier, type, value, and meaning |
spf.includes | array | Included domains (include: mechanisms) |
spf.all_qualifier | string | Default policy qualifier: +all, ~all, -all, or ?all |
spf.all_meaning | string | Human-readable policy description |
spf.dns_lookup_count | number | Total DNS lookups required (max 10 per RFC 7208) |
spf.exceeds_dns_limit | boolean | Whether the record exceeds the 10-lookup limit |
score | number | Security score 0–100 |
grade | string | Letter grade A–F based on score |
recommendations | array | Specific improvement recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/spf" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=google.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/spf?domain=google.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/spf',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'google.com'
}
)
data = response.json()
print(data)Read the full SPF Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.