SPF Check: a beginner's guide

SPF (Sender Policy Framework) is a list — published as a single text record in your domain's DNS — that tells the rest of the internet which mail servers are allowed to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from `you@yourdomain.com`, it looks up your SPF record and asks, "is the server that just delivered this message on the approved list?" If yes, the message passes the SPF check and keeps moving toward the inbox. If no, the receiving server now knows the message is suspicious and can act on that — usually by routing it to spam or rejecting it outright. SPF was first published in 2003, became an internet standard in 2014 (RFC 7208), and is now the foundational layer of every modern email-authentication setup.

You should care because without SPF, anyone in the world can send an email that says "From: you@yourdomain.com" and there is nothing in the protocol stopping it. Email was designed in a more trusting era — the original 1982 specification has no way to verify the sender at all — and SPF is one of three rulebooks (with DKIM and DMARC) that the internet community came up with to fix that. As of February 2024, Gmail and Yahoo require SPF on any domain sending more than 5,000 emails per day; Microsoft followed shortly after. SPF has crossed the line from "good practice" to "do this or your bulk mail will not arrive."

The five things every SPF check looks at:

• Does the record exist? A surprising fraction of production domains still have no SPF record at all.

• Is the syntax valid? SPF records have a specific grammar (`v=spf1 ... -all`). A typo invalidates the whole record.

• Does the record stay under the 10-DNS-lookup limit? Each `include:` mechanism counts as a lookup, and nested includes count too. Going over 10 produces a permanent error that disables SPF entirely.

• Does it end in `-all` or `~all`? Both are acceptable end-markers; `+all` is a configuration disaster that allows anyone in the world to send mail as you.

• Is the record at the apex of the domain? SPF records live on the bare domain (`example.com`), not on subdomains, unless you explicitly want to override them per subdomain.

Three questions an SPF check answers:

• Will the emails I send actually reach the inbox, or are they going to spam?

• Can someone else send phishing emails pretending to be my domain?

• Have I quietly broken my SPF record by adding too many email services to it?

The cost of skipping SPF is the slow erosion of email deliverability — your real messages start going to spam, your bulk mail starts getting rejected by Gmail and Yahoo, and scammers find it easier to impersonate your brand. The fix is one DNS edit and one validation check. The longer hand-written guide on setup lives at SPF Record Setup Guide, which walks through writing the record from scratch and avoiding the most common pitfalls.

In one sentence: Validate [SPF (Sender Policy Framework)](/guides/spf-record-setup-guide) record syntax, [DNS (Domain Name System)](/guides/dns-lookup) lookups, and policy

Parses and validates SPF (Sender Policy Framework) records per the official internet standard. Checks for syntax errors, counts DNS (Domain Name System) lookup mechanisms against the 10-lookup limit (max 10 per the official internet standard), evaluates the all-qualifier policy strictness, detects multiple SPF records (invalid per spec), warns when both redirect and all coexist, validates include domain syntax and CIDR (Classless Inter-Domain Routing) bounds, and identifies common misconfigurations like overly permissive policies, excessive includes, deprecated ptr mechanisms, or missing records.

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Retrieves SPF (Sender Policy Framework) TXT records from DNS (Domain Name System), validates only one SPF record exists (multiple records cause PermError), parses the SPF syntax tree, expands include/redirect mechanisms, counts DNS lookup mechanisms (max 10 per the official internet standard), identifies authorized sending IPs and domains, and evaluates the default policy qualifier (+all, ~all, -all, ?all). Returns a security score (0-100), letter grade, and specific recommendations. Detects issues like exceeding the 10-lookup limit (which causes PermError), redirect/all coexistence (the official internet standard §6.1), invalid include domain syntax, using deprecated ptr mechanism (slow and unreliable), invalid and overly broad ip4/ip6 CIDR (Classless Inter-Domain Routing) ranges, and SPF macro syntax (advanced feature per the official internet standard §7).

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the SPF Check tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

SPF (Sender Policy Framework) is the foundation of email authentication (the official internet standard) and is required for proper DMARC (Domain-based Message Authentication, Reporting and Conformance) enforcement. Misconfigured SPF records are the #1 cause of email deliverability issues — exceeding the 10 DNS (Domain Name System) lookup limit silently causes PermError, and overly permissive policies (+all, ?all) leave domains vulnerable to spoofing. Google, Yahoo, and Microsoft now require valid SPF for bulk senders (5,000+ emails/day) as of 2024-2025, with non-compliant emails facing rejection.

Picture this in real life. Imagine an email administrator. Here's the situation they're walking into: Emails are being rejected or landing in spam. Verify the SPF (Sender Policy Framework) record is syntactically valid, under the 10-lookup limit, and uses an appropriate policy qualifier. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the SPF Check tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the SPF Check tool is built for you:

• Will the emails I send actually reach the inbox, or are they going to spam?

• Can someone else send phishing emails pretending to be my domain?

• Have I set up the three rulebooks (SPF, DKIM, DMARC) that mailbox providers now require?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Small-business owners worried about deliverability, marketing managers onboarding a new email service, IT admins prepping for a security audit, and brand teams protecting against phishing. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and your real emails risk landing in the spam folder while scammers find it easier to impersonate your brand. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the SPF Check tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an email administrator, a security engineer, a marketing operations, and an IT manager — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: Email Deliverability Troubleshooting

Imagine you're an email administrator. Emails are being rejected or landing in spam. Verify the SPF (Sender Policy Framework) record is syntactically valid, under the 10-lookup limit, and uses an appropriate policy qualifier.

Why it matters: Identify and fix SPF (Sender Policy Framework) issues causing email rejection or spam classification.

Story 2: Email Security Audit

Imagine you're a security engineer. Audit organization domains to ensure SPF (Sender Policy Framework) records use strict policies (-all) and don't include unnecessary third-party services that expand the attack surface.

Why it matters: Reduce email spoofing risk with properly hardened SPF (Sender Policy Framework) configuration.

Story 3: Third-Party Sender Authorization

Imagine you're a marketing operations. After adding a new email marketing platform (Mailchimp, SendGrid, HubSpot), verify the SPF (Sender Policy Framework) record includes the new sender and hasn't exceeded the DNS (Domain Name System) lookup limit.

Why it matters: Ensure marketing emails authenticate properly after platform changes.

Story 4: Bulk Sender Compliance

Imagine you're an IT manager. Verify SPF (Sender Policy Framework) compliance with Google/Yahoo/Microsoft bulk sender requirements (2024-2025) that mandate valid SPF records for domains sending 5,000+ emails/day. Non-compliant emails face rejection starting November 2025 (Gmail) and May 2025 (Outlook).

Why it matters: Maintain email deliverability to Gmail, Yahoo, and Outlook recipients.

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the SPF Check tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• When setting up email on a brand-new domain.

• After signing up for a new email-sending service (Mailchimp, SendGrid, HubSpot, etc.).

• When a customer reports that your emails are landing in their spam folder.

• Before a security audit, a SOC 2 review, or a major marketing campaign.

If you can see yourself in even one of those bullets, the SPF Check tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the SPF Check tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the SPF Check tool to check google.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with SPF Check. If you're already running this check, the related ones often answer the next question that comes up:

• DKIM Check — Discover and validate DKIM signing keys

• DMARC Check — Analyze DMARC policy, alignment, and reporting

• Email Score — Rate email security (SPF, DKIM, DMARC)

• TXT Records — Get TXT records including verification entries

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check SPF Check and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.

SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.

DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.

CIDR (Classless Inter-Domain Routing) — A shorthand way of describing a range of IP addresses, like 192.168.1.0/24. The number after the slash says how many addresses are in the range.

RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.