SPF Record Checker

How to read your SPF results

SPF tells inbox providers which servers are allowed to send mail for your domain. It looks simple — a single line of DNS — but a few specific mistakes cause the majority of deliverability problems. Here's what our checker looks for and why each one matters.

One record, exactly

A domain may publish only one SPF record. If you have two (a common result of adding a new email tool without merging), receivers return a permanent error and ignore SPF altogether. Everything must live in a single v=spf1 record.

The 10-lookup limit

Each include, a, mx, exists, and redirect mechanism triggers a DNS lookup, and you're capped at 10. Stacking tools — your CRM, your email platform, your help desk, your invoicing software — blows past it fast. When you do, SPF fails for every message. We count your lookups so you know exactly how much headroom is left.

A meaningful "all" mechanism

The record should end in -all or ~all. The first hard-fails unauthorized senders; the second soft-fails them. Avoid ?all (no protection) and never use +all, which lets anyone spoof you.

SPF is one of three pillars

SPF, DKIM, and DMARC work together. SPF authorizes servers, DKIM signs messages, and DMARC tells receivers what to do when a check fails — and gives you reporting. If you're sending outbound at volume, all three need to be correct on every domain you send from. Check your DKIM record and DMARC policy next, or run the full deliverability test for a single combined score.

Setting this up correctly across a fleet of sending domains — and keeping it healthy — is exactly what we do. See how we handle cold email infrastructure for clients, or read the full SPF, DKIM & DMARC guide for cold email.