Dr.Who

spf checker

find and parse a domain's SPF (sender policy framework) record. part of the domainposture.com domain dossier.

Overview

spf (RFC 7208) lets a domain owner publish, via a single TXT record at the apex, which hosts are authorized to send mail on its behalf. the record begins with `v=spf1` and is followed by mechanisms (`include`, `a`, `mx`, `ip4`, `ip6`, `exists`, `ptr`) and a final `all` with a qualifier (`+` pass, `~` softfail, `-` fail, `?` neutral). receivers evaluate mechanisms left-to-right and apply the first match. this tool queries the TXT rrset via cloudflare's doh resolver, concatenates the quoted segments doh returns (spf strings are published as one or more 255-byte chunks), filters for the single record starting with `v=spf1`, and splits it into its mechanisms.

How to use

  1. enter a bare domainpublic fqdn only. no schemes, ports, paths.
  2. run the checka single TXT doh query at the apex, then filtered for `v=spf1`.
  3. read the mechanismsleft-to-right evaluation. the final `all` qualifier decides what happens to unmatched senders.

Examples

example 1 — google workspace delegates its sender set through a single include.
input
google.com
output
v=spf1 include:_spf.google.com ~all
example 2 — mixes an explicit ip4 range with two includes and a hard fail.
input
github.com
output
v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:spf.protection.outlook.com -all

Common mistakes

  • multiple spf records are forbidden RFC 7208 §3.2 requires exactly one `v=spf1` TXT record at the apex. some operators split policies into two records thinking it helps — receivers are required to treat that as permerror. this tool reports it as an error.
  • 10-DNS-lookup limit each `include`, `a`, `mx`, `exists`, `ptr`, and `redirect` costs one dns lookup during evaluation. the total across the whole record (including nested includes) must stay at or below 10, or receivers return permerror. this tool surfaces the record but does not yet walk includes to count lookups.
  • `~all` vs `-all` vs `?all` `-all` is a hard fail — receivers should reject. `~all` is a softfail — accept but mark suspicious. `?all` is neutral — no opinion. `+all` is authorize-everything and is almost always wrong. dmarc policy amplifies whichever you pick.

FAQ

why does the tool flag multiple spf records as an error?

RFC 7208 §3.2 forbids it. conformant receivers treat multi-record cases as permerror, so mail from the domain may fail delivery until it's collapsed into one.

does spf alone stop spoofing?

no. spf authenticates the envelope sender (RFC 5321 MAIL FROM), not the visible From: header. pairing spf with dkim and publishing a dmarc policy is what closes the gap.

what if the record is split across quoted segments?

doh returns long TXT values as multiple quoted strings separated by whitespace; the spec says receivers must concatenate them with no separator. the tool does that before parsing, so `"v=spf1 include:_spf.google.com " "-all"` becomes `v=spf1 include:_spf.google.com -all`.

why is `ptr` considered harmful?

`ptr` forces the receiver to do reverse-dns on the connecting ip, which is slow and unreliable. RFC 7208 explicitly discourages it. prefer `ip4`/`ip6` ranges or `include`.

can a subdomain have its own spf record?

yes. spf is checked at whatever name appears in the MAIL FROM, so a subdomain publishes its own TXT. this tool checks the apex you entered — query `mail.example.com` directly if that's the sender.

what is an spf record?

an spf (sender policy framework) record is a single txt record at a domain's apex listing which hosts may send mail as that domain. it begins with `v=spf1`, followed by mechanisms like `include`, `ip4`, and `mx`, and ends with an `all` qualifier deciding what happens to everyone else.

how do i check an spf record?

enter the bare domain above: the tool fetches the apex txt records, isolates the one starting with `v=spf1`, and splits it into its mechanisms so you can read them left-to-right. it also flags the permerror case where a domain wrongly publishes more than one spf record.

what is the spf 10 dns lookup limit?

spf evaluation must resolve at most 10 dns lookups across the whole record, counting every `include`, `a`, `mx`, `exists`, `ptr`, and `redirect`, including nested ones. exceed it and receivers return permerror, so your mail fails spf. flatten or consolidate includes to stay under the cap.

Related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • dns records lookup resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
  • mx lookup list the mail exchangers (MX records) a domain advertises, sorted by priority.

References

  1. RFC 7208 — SPF
  2. dmarc.org — SPF overview
ad slot · tool-spf-checker