Skip to main content

Free SPF Record Lookup

Validate your SPF record configuration instantly. Check DNS lookup count against the 10-lookup limit, analyze mechanisms, and verify that your sending infrastructure is properly authorized.

Try the Full APIView Documentation

Free to use — no signup required. Rate limited to 5 requests per minute.

How to Look Up Your SPF Record

Follow these steps to validate your domain's SPF record and check for common misconfigurations.

  1. 1

    Enter your domain

    Type your domain name (e.g., example.com) into the lookup tool. Use the root domain, not a subdomain, unless you specifically send email from a subdomain.

  2. 2

    Run the SPF lookup

    Click "Check SPF" to retrieve and parse your domain's SPF TXT record from DNS.

  3. 3

    Check the DNS lookup count

    SPF has a hard limit of 10 DNS lookups per evaluation. If your record exceeds this limit, SPF will permanently fail (permerror) for your domain. The tool shows your current count.

  4. 4

    Review authorized senders

    Verify that all your email-sending services (transactional, marketing, CRM) are included in the SPF record via include:, ip4:, or ip6: mechanisms.

  5. 5

    Check the policy

    Verify that your SPF record ends with -all (hard fail) or ~all (soft fail). Avoid +all, which authorizes every server to send email as your domain.

What Is SPF and How Does It Work?

SPF (Sender Policy Framework) is an email authentication standard defined in RFC 7208. It allows domain owners to specify which mail servers are authorized to send email on their behalf by publishing a DNS TXT record.

When a receiving mail server gets a message, it extracts the domain from the envelope sender (MAIL FROM) and looks up the SPF record for that domain. It then checks whether the sending server's IP address matches any of the authorized mechanisms in the SPF record.

SPF results include: • Pass — The sending IP is authorized • Fail — The sending IP is explicitly not authorized • SoftFail — The sending IP is probably not authorized • Neutral — The SPF record makes no assertion • PermError — The SPF record is malformed or exceeds limits • TempError — A temporary DNS error prevented evaluation

SPF Record Syntax and Mechanisms

An SPF record starts with v=spf1 and contains a series of mechanisms that define authorized senders:

• ip4:203.0.113.0/24 — Authorize an IPv4 address or range • ip6:2001:db8::/32 — Authorize an IPv6 address or range • include:_spf.google.com — Include another domain's SPF record • a — Authorize the domain's A record IP addresses • mx — Authorize the domain's MX record IP addresses • redirect=otherdomain.com — Use another domain's SPF record entirely • exists:%{i}.spf.example.com — Advanced macro-based authorization

Mechanisms are evaluated left to right. The first match determines the result. The record typically ends with a qualifier: • -all — Hard fail for all others • ~all — Soft fail for all others • ?all — Neutral for all others

Managing the 10-Lookup Limit

The 10 DNS lookup limit is the most common SPF issue for organizations using multiple email services. Each include:, a, mx, redirect, and exists mechanism requires a DNS lookup. Nested includes (an included domain's SPF record that itself has includes) also count.

Strategies to stay under the limit:

1. Use ip4:/ip6: instead of include: where possible — IP mechanisms don't count as lookups. If a service has a stable IP range, use that instead of their include domain.

2. SPF flattening — Replace include: mechanisms with the resolved IP addresses. This removes lookups but requires ongoing maintenance as service IPs change.

3. Remove unused services — Audit your SPF record regularly. Remove includes for services you no longer use.

4. Consolidate sending services — Fewer email platforms means fewer SPF includes.

5. Use subdomains — Send marketing email from marketing.example.com with its own SPF record, keeping the root domain's SPF simpler.

Frequently Asked Questions

SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the sending server's IP against the SPF record to verify authorization.

Related Free Tools

Free DMARC Record Checker

Instantly validate your DMARC record configuration. Check policy enforcement, alignment settings, and reporting addresses — identify issues before they affect email deliverability.

Free DNS Propagation Checker

Check if your DNS changes have propagated to resolvers worldwide. Query Google, Cloudflare, OpenDNS, and more to verify DNS consistency before announcing deployments.

Need More Than a Free Check?

Get programmatic access to 100+ domain intelligence endpoints. Automate monitoring, integrate with CI/CD, and build custom workflows.

Get Free API KeyExplore All Endpoints

Free tier includes 200 requests/month