Free SPF Lookup

How SPF Records Work

SPF is the first layer of email authentication. It tells receiving mail servers exactly which IP addresses are allowed to send email for your domain. Without a valid SPF record, your messages are more likely to be flagged as spam or rejected outright.

Enter the domain name you want to check in the input field above
Click "Check SPF" to fetch and parse the domain's SPF record from DNS
Review the authorized sending sources and mechanisms in the results
Check the DNS lookup count — if it exceeds 10, the record will cause a PermerError
Use the results to verify your own record or troubleshoot authentication failures

🔒

What SPF Does

SPF publishes a list of authorized sending IPs in DNS. When a receiving server gets your email, it checks whether the sending IP is on that list. A mismatch causes an SPF fail, which can result in rejection or spam filtering depending on your DMARC policy.

⚠️

The 10-Lookup Limit

SPF records are limited to 10 DNS lookups during evaluation (RFC 7208). Exceeding this limit causes a PermerError, which many receivers treat as a hard fail. Use the include: mechanism sparingly and prefer ip4: and ip6: where possible.

🔗

SPF + DKIM + DMARC

SPF alone is not sufficient. DMARC requires either SPF or DKIM to align with the visible From header domain. Pair SPF with DKIM and a DMARC policy to get full authentication coverage and unlock aggregate reporting.

Tip: SPF only authenticates the envelope sender (Return-Path), not the visible From address. This means SPF alone does not prevent display-name spoofing. DMARC ties SPF and DKIM results back to the From domain and adds enforcement and visibility through aggregate reports.

Shielding Your Inbox from Spoofing: The Power of SPF

Ever receive an email that appears to be from your bank or a trusted colleague, but something feels a little off? This is where email spoofing comes in — a deceptive tactic where senders disguise their email address to appear legitimate. SPF (Sender Policy Framework) acts as a crucial line of defense against such attacks, safeguarding your inbox and email security.

SPF operates like a whitelist. Domain owners, like your bank or company, publish an SPF record — a public record that specifies authorized email servers for their domain. When you receive an email, receiving mail servers check the SPF record of the sender's domain. If the email originates from a server listed in the SPF record, it's considered legitimate. Conversely, if the sending server isn't authorized, it raises red flags, potentially marking the email as spam or even rejecting it entirely.

By implementing SPF, you contribute to a safer email ecosystem. It empowers legitimate senders to improve email deliverability by ensuring their emails reach inboxes. More importantly, it helps recipients like yourself identify and avoid spoofing attempts, protecting you from phishing scams and other email-borne threats.

Once you have it set up, it's time to test it with our very own Email Tester.

SPF TAG Specification Explained

TAG	MEANING
v	Required: This mandatory tag specifies the SPF version being used. Currently, only "v=SPF1" is allowed.
a	This tag allows any server with an IP address matching the A record of the specified hostname to send emails. The allowed value is the domain name for which you want to use the A record (e.g., a:campaigncleaner.com).
mx	Similar to the "a" tag, this tag permits any server with an IP address matching the MX record of the specified hostname. The allowed value is the domain name for which you want to use the MX record (e.g., mx:campaigncleaner.com).
ip4	This tag specifies an allowed IPv4 address or a range of addresses using CIDR notation. The allowed value is either a single IPv4 address (e.g., ip4:192.168.1.1) or an IP address with a forward slash (/) followed by the CIDR subnet mask (e.g., ip4:192.168.0.0/24).
ip6	Similar to ip4, this tag defines an authorized IPv6 address or a range using CIDR notation. The allowed value is either a single IPv6 address (e.g., ip6:2001:db8::1) or an IP address with a forward slash (/) followed by the CIDR subnet mask (e.g., ip6:2001:db8::/64).
ptr	This tag allows mail servers to perform a reverse DNS lookup on the sending server's IP address. If the hostname returned by the reverse lookup matches the specified hostname, the email is considered authorized. The allowed value is the domain name for the reverse DNS lookup (e.g., ptr:campaigncleaner.com).
include	This tag allows you to incorporate the SPF record of another domain. This is useful for including subdomains or relying on a third-party email service provider's SPF record. The allowed value is the domain name of the record you want to include (e.g., include:_spf.campaigncleaner.com).
exists	The exists mechanism in SPF records offers a way to perform conditional checks based on DNS lookups.
redirect	The "redirect" modifier lets a domain hand off its SPF policy to another domain.
all	This powerful tag defines how to handle emails from unauthorized sources. Allowed qualifiers: -all: Rejects emails from unauthorized senders (strict policy). ~all: Soft fails (marks as spam) emails from unauthorized senders (less strict policy). ?all: Neutral — takes no action for unauthorized senders (not recommended).

SPF Questions and Answers

SPF (Sender Policy Framework) is a DNS-based email authentication protocol that lets domain owners publish a list of IP addresses authorized to send email on their behalf. Receiving mail servers check this list to verify the sending IP. A valid SPF pass improves inbox placement and is required for DMARC alignment when DKIM is not present.

When an email is received, the receiving mail server performs a DNS TXT record lookup on the domain in the envelope sender (Return-Path). It then checks whether the sending IP address matches any of the authorized sources listed in that SPF record. If the IP matches, SPF passes. If it does not match and the record ends in -all, the email fails SPF.

RFC 7208 limits SPF records to 10 DNS lookups during evaluation. Each include:, a:, mx:, and ptr: mechanism that requires a DNS lookup counts toward this limit. Exceeding 10 lookups causes a PermerError, which many receiving servers treat as a hard SPF failure. Use ip4: and ip6: mechanisms where possible, and audit your include: chain regularly.

-all (HardFail) instructs receiving servers to reject mail from unauthorized senders. ~all (SoftFail) marks unauthorized mail as suspicious but still delivers it. ?all (Neutral) takes no action on unauthorized senders and provides no protection. For best deliverability and security, use -all once you have confirmed all legitimate sending sources are included in your record.

Common SPF failures include: sending from an IP not listed in the record, exceeding the 10-lookup limit (PermerError), having multiple SPF records on the same domain (only one TXT record starting with v=spf1 is allowed), and forwarded mail where the forwarding server's IP is not in the original domain's SPF record. Fix by auditing all sending sources, consolidating include: chains, and removing duplicate SPF records.

No. SPF only authenticates the envelope sender (Return-Path) address, not the visible From header. An attacker can still spoof the From address while passing SPF using a different Return-Path domain. Full spoofing protection requires DMARC, which enforces alignment between SPF and DKIM results and the visible From domain.

Domain:

How SPF Records Work

Shielding Your Inbox from Spoofing: The Power of SPF

SPF TAG Specification Explained

SPF Questions and Answers

What is SPF and why is it important for email deliverability?

How does SPF work?

What is the SPF 10-lookup limit and why does it matter?

What is the difference between SPF -all, ~all, and ?all?

What causes SPF failures and how do I fix them?

Does SPF alone protect my domain from spoofing?