Free tools

SPF Record Checker

Look up any domain's SPF record, see every mechanism explained in plain English, and catch the errors that silently break deliverability.

How this SPF checker works

Enter a domain and the tool queries its TXT records over DNS (directly from your browser - nothing is stored). It finds the v=spf1 record, breaks each mechanism down, counts DNS lookups against the RFC 7208 limit of 10, and flags the classic failure modes: no record, multiple records, +all, a missing all qualifier, and the deprecated ptr mechanism.

The three records that make email deliverable

SPF says which servers may send for your domain. DKIM proves the message wasn't modified and really came from you. DMARC tells receivers what to do when either check fails, and makes the From header trustworthy. Check all three: DKIM checker · DMARC checker.

Never hand-write these records again

If you're setting up SPF because you send email from an application or an AI agent, AgenticEmail generates the complete record set for your domain - SPF, DKIM, DMARC, and receiving MX - and can push them to your DNS provider automatically, then verify them for you. See the docs for how domain onboarding works.

Frequently asked questions

What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists which mail servers are allowed to send email on behalf of a domain. Receiving servers check the connecting IP against the record; senders not on the list fail SPF and are more likely to be rejected or spam-foldered.
What does 'permerror' mean in SPF?
A permanent error while evaluating the record - most often more than one SPF record on the domain, more than 10 DNS-lookup mechanisms, or a syntax error. Receivers treat permerror like a missing record, so a broken SPF can be worse than none.
Should I end my SPF record with ~all or -all?
-all (hard fail) tells receivers to reject anything not listed; ~all (soft fail) asks them to accept but mark it. Start with ~all while you confirm every legitimate sender is included, then tighten to -all. Never use +all.
Why does the 10 DNS lookup limit matter?
Every include:, a, mx, ptr, exists, and redirect= costs a DNS query, counted recursively through nested includes. Past 10, receivers stop evaluating and return permerror. Services like Google Workspace, Microsoft 365, and CRMs each consume lookups quickly.
Does SPF alone stop spoofing?
No. SPF checks the envelope sender, not the From header users see, and it breaks on forwarding. You need DKIM signatures and a DMARC policy on top - check those with our DKIM and DMARC tools.
Talk to a real person