SPF Record Checker

Q: Why is my SPF failing?

SPF failures are typically caused by one of several common issues: exceeding the 10 DNS lookup limit (especially when using multiple third-party email services), syntax errors in the record, missing include: directives for services that send on your behalf, or having multiple SPF records on the same domain.

Q: What does 'too many DNS lookups' mean?

The SPF specification (RFC 7208) imposes a strict limit of 10 DNS lookups during SPF evaluation. This includes lookups generated by include:, a:, mx:, redirect=, and exists: mechanisms — and lookups are counted recursively through nested includes. When this limit is exceeded, receiving servers return a permanent error (permerror), causing SPF to fail entirely for that message.

Look up and validate SPF records with a full recursive lookup tree and issue detection

What does this tool check?

SPF Record Validation

Checks if your SPF record is syntactically correct and follows RFC 7208 specifications.

DNS Lookup Tree

Recursively resolves all include: mechanisms and shows the complete hierarchy of authorized senders.

Lookup Count

Counts the total DNS lookups required (max 10 allowed per RFC 7208). Exceeding this causes SPF failures.

Issue Detection

Identifies circular references, missing records, too many lookups, and other common SPF problems.

What is SPF?

SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain.

Prevents email spoofing
Maximum 10 DNS lookups allowed
Required for DMARC compliance
Published as a TXT record

Want automated management?

DMARC Busta's Autopilot manages SPF, DKIM, and DMARC automatically with AI-powered decisions.

Get Started Free

What is SPF (Sender Policy Framework)?

The DNS record that tells the world which servers can send email as your domain

SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorised to send email on behalf of your domain. It works by publishing a specially formatted TXT record in your domain's DNS, listing the IP addresses and hostnames of servers permitted to send as your organisation.

When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record to verify whether the sending server is on the approved list. If the server isn't authorised, the receiving system can flag, quarantine, or reject the message entirely.

SPF is a critical component of modern email authentication, working alongside DMARC and DKIM to form a complete email security framework. Without an SPF record, anyone on the internet can send email that appears to come from your domain.

Example SPF Record


                                v=spf1
                                include:_spf.google.com
                                include:sendgrid.net
                                ~all

How SPF Works

Sender sends email from your domain

Receiver queries your DNS for SPF record

Server IP is checked against allowed senders

Pass, fail, or softfail result is returned

What This Tool Checks

A comprehensive analysis of your SPF configuration against the official specification

Record Validation

Verifies correct syntax including valid mechanisms (ip4, include, mx), qualifiers, and version tags. Detects duplicate records and invalid entries.

DNS Lookup Tree

Maps the complete chain of DNS lookups your SPF record triggers, including nested includes and redirects. See exactly which servers and services are authorised to send.

Lookup Count (10 Maximum)

Counts every DNS lookup your record generates. The SPF spec enforces a strict limit of 10 lookups per evaluation — exceeding this causes legitimate email to fail.

Issue Detection

Identifies overly permissive policies, circular references, unreachable includes, and deprecated mechanisms that could compromise your email security.

How to Fix Common SPF Issues

Actionable fixes for the most frequent SPF problems we detect

Too Many DNS Lookups

Each include:, a:, and mx: mechanism triggers a DNS lookup, and nested includes count too.

Fix: Consolidate redundant includes, replace mechanisms with direct IP addresses, or use SPF flattening to reduce your count below 10.

Missing SPF Record

Fix: Use our SPF Builder to create a correctly formatted record that includes your mail server, marketing platform, and transactional email provider.

Using +all Instead of ~all or -all

+all

Dangerous

~all

Softfail

-all

Hardfail

+all accepts email from any server, completely defeating SPF. Change to ~all or -all.

Duplicate SPF Records

The SPF specification requires exactly one SPF TXT record per domain. Multiple records cause a permanent error, failing all SPF checks. Fix: Merge all mechanisms into a single, consolidated SPF record.

Automate this: DMARC Busta's Autopilot mode continuously monitors your SPF records and automatically repairs common issues before they affect your email delivery.

Frequently Asked Questions

What is an SPF record?

An SPF record is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. It starts with v=spf1 and contains mechanisms that identify permitted senders by IP address, hostname, or by referencing another domain's SPF record. Receiving mail servers query this record to verify whether an incoming message was sent from an authorised source.

Why is my SPF failing?

SPF failures are typically caused by exceeding the 10 DNS lookup limit, syntax errors in the record, missing include: directives for services that send on your behalf, or having multiple SPF records on the same domain. Use this checker to identify the specific cause.

What does "too many DNS lookups" mean?

RFC 7208 imposes a strict limit of 10 DNS lookups during SPF evaluation. This includes include:, a:, mx:, redirect=, and exists: mechanisms — counted recursively through nested includes. Exceeding this limit causes a permanent error (permerror), failing SPF entirely.

Do I need SPF if I have DMARC?

Yes. DMARC requires that at least one of SPF or DKIM passes and aligns with the From domain. While DMARC can technically pass on DKIM alone, best practice is to have both configured. SPF validates the sending server, DKIM validates message content, and together they provide comprehensive protection with redundancy.

Related Tools

More free tools to secure your email authentication

Automate Your SPF Management

Stop manually fixing SPF issues. DMARC Busta monitors your records, detects problems, and repairs them automatically — across all your domains.