SPF Record Lookup

SPF Record Lookup

What Is SPF and Why Does It Matter?

SPF, short for Sender Policy Framework, is a DNS-based email authentication standard that lets domain owners publish a list of mail servers authorized to send email on their behalf. When a receiving mail server gets a message claiming to come from your domain, it looks up your SPF record and checks whether the sending server’s IP address is on that list. If it is not, the receiver can reject, quarantine, or flag the message. SPF is one of the three foundational email authentication standards — alongside DKIM and DMARC — that major inbox providers like Gmail, Yahoo, and Microsoft require before they will reliably deliver your mail. A missing or misconfigured SPF record is one of the most common reasons legitimate email ends up in spam. You can check all three records at once with the SPF, DKIM & DMARC Checker.

How to Read SPF Mechanisms

An SPF record is a TXT record on your domain root that starts with v=spf1 and contains a series of space-separated mechanisms. Each mechanism tells receiving servers which senders are authorized:

• ip4 and ip6 directly authorize specific IP addresses or CIDR ranges. These are the most explicit and fastest to evaluate.
• include delegates to another domain’s SPF record. This is how email service providers like Google Workspace or SendGrid are added — you include their domain and your SPF record inherits their authorized servers.
• a authorizes the IP addresses in the domain’s A record. Useful when your web server also sends mail.
• mx authorizes the servers listed in your MX records. Common for domains where the incoming mail server also sends outbound mail.
• redirect delegates the entire SPF policy to another domain, replacing the current record rather than supplementing it.
• all is the catch-all policy that applies to any sender not matched by a previous mechanism. The qualifier before it determines how strictly it is enforced.

Each mechanism can be preceded by a qualifier: + (Pass, the default), – (Fail), ~ (SoftFail), or ? (Neutral). Use our DNS Record Checker to inspect raw TXT records or any other record type alongside your SPF data.

Understanding ~all vs -all

The choice between ~all (SoftFail) and -all (Fail) is the most consequential policy decision in your SPF record. A -all record tells receiving servers to outright reject any email that does not match your authorized senders — it is the strictest enforcement available and the recommended setting for domains that have fully audited their sending sources. A ~all record marks non-matching mail as suspicious but allows it through, which is commonly used while you are still discovering all the services sending mail on your behalf. Once you are confident your SPF record covers every legitimate sending source, switching to -all closes the door to spoofed mail more firmly. Avoid +all, which authorizes every sender on the internet and effectively disables SPF protection.

Common SPF Mistakes

The most frequent SPF misconfiguration is the 10 DNS lookup limit. SPF imposes a hard limit of 10 mechanisms that require DNS resolution — this includes every include, a, mx, and redirect term. If your record exceeds this limit, receivers will treat SPF as failing even for legitimate senders. Another common error is having multiple SPF records on a single domain — there must be exactly one v=spf1 TXT record, or both will be ignored. Publishing +all instead of -all is equally dangerous, as it tells the world that any server can send mail for your domain. Finally, forgetting to add SPF entries for third-party sending services (transactional email platforms, marketing tools, CRMs) is a frequent source of deliverability failures. For a broader view of your domain’s mail configuration, check your MX records and verify your full setup with the Email Auth Checker.

Related Tools & Resources

Check all three email authentication records at once with the SPF, DKIM & DMARC Checker. Look up mail server routing with the MX Record Lookup, inspect any TXT record directly with the TXT Record Lookup, or query any DNS record type with the DNS Record Checker. Building a new record? Use the SPF and DMARC Record Generator to construct one with a built-in lookup-limit check. To confirm a published record has propagated, run the DNS Propagation Checker. Browse the full networking tools hub for the complete collection.