Detailed SPF Record Lookup

Analyze Sender Policy Framework (SPF) records with full recursive expansion, tracking mechanism lookups (limit 10), identifying IP sources, and checking IPs against DNS blacklists.

Enter a domain name above to check its detailed SPF record.

What is SPF?

Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses. SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.

When an email is received, the recipient's mail server checks the SPF record. If the sender's IP isn't listed, the email might be forged, and the server can reject, quarantine, or flag it.

Implementing SPF strengthens defenses against phishing and improves email deliverability.

Key Benefits:

Prevents Spoofing: Harder for attackers to impersonate your domain.
Improves Deliverability: Legitimate emails are less likely marked as spam.
Protects Brand Reputation: Avoids association with malicious emails.

The Best Tips for Implementing, Managing, and Verifying an SPF Record

Publish a DMARC Record.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) leverages SPF and DKIM to provide broader email authentication, specify handling for failed messages, and offer reporting.

Keep your SPF record concise.

Avoid unnecessary mechanisms. A shorter record is easier to manage and less prone to exceeding the 10-lookup limit. Remove unused "include" mechanisms.

Regularly review and update.

Update your SPF record when adding or removing email sending services. An outdated record can cause legitimate emails to be flagged or rejected.

Test before deploying.

Use an SPF lookup tool (like this one) to test changes thoroughly, especially when moving to a stricter policy (e.g., `~all` to `-all`), to ensure all legitimate sources are covered.

Understanding SPF Mechanisms and Qualifiers

An SPF record (a TXT record starting with `v=spf1`) uses mechanisms to define authorized senders and qualifiers to specify policy.

Common SPF Mechanisms:

`v=spf1`: Version (must be first).
`a`: Authorizes domain's A/AAAA records (e.g., `a`, `a:mail.example.com`).
`mx`: Authorizes domain's MX records.
`ip4`: Authorizes specific IPv4 address/range (e.g., `ip4:1.2.3.4`, `ip4:1.2.3.0/24`).
`ip6`: Authorizes specific IPv6 address/range.
`include`: Includes another domain's SPF (e.g., `include:spf.example.com`). Counts towards lookup limit.
`redirect=`: Points to another domain's SPF record. Overrides current record if matched. Counts as a lookup.
exists: Checks for A record existence of a constructed domain (e.g., exists:%{i}._spf.example.com). Counts as a lookup.
`all`: Catch-all, usually last, defining default policy.

Qualifiers (prefix to mechanisms, default is `+`):

`+` (Pass): Authorized.
`-` (Fail/Hardfail): Not authorized, reject. (e.g., `-all`)
`~` (Softfail): Not authorized, accept but mark/quarantine. (e.g., `~all`)
`?` (Neutral): No explicit policy. (e.g., `?all`)

Important SPF Limitations

The 10-DNS-Lookup Limit:

SPF evaluation MUST NOT exceed 10 DNS lookups for mechanisms like `a`, `mx`, `ptr`, `exists`, `include`, and `redirect` modifiers. Exceeding this (`permerror`) can cause validation failures.

TXT Record Length Limit:

A single TXT string is 255 chars. Multiple can form one record. However, DNS UDP responses (common) are practically limited (e.g., ~450-512 bytes). Very long SPF records might be truncated by some resolvers.

What are DNS Blacklists (DNSBLs)?

A DNS-based Blackhole List (DNSBL) lists IP addresses known for spam or malicious activity. Mail servers use DNSBLs to check sender IP reputation. If an IP is on a DNSBL, emails may be rejected, quarantined, or flagged.

This tool checks IPs from your SPF against common DNSBLs (like Spamhaus ZEN) to identify potential deliverability issues.

SPF Best Practices

One SPF Record Only: Multiple SPF (v=spf1) records on a domain are invalid.
End with `all`: Use `~all` (SoftFail) or preferably `-all` (HardFail). Avoid `?all` for effective protection.
Monitor Lookups: Stay under the 10-lookup limit. Flatten `include`s if possible by using direct `ip4`/`ip6` mechanisms from the included records if they are static.
Monitor Record Length: Keep the total length manageable for UDP DNS.
Use DMARC & DKIM: Implement DMARC with SPF and DKIM for comprehensive email authentication and reporting.
Regular Audits: Review sending sources and update SPF accordingly.
Start with `~all` (Softfail): When first implementing or making major changes, use `~all` to monitor before switching to `-all`.