SPF Record Checker
Validate any domain's SPF record. Check syntax, policy enforcement, and authorized mail senders.
What is SPF?
Sender Policy Framework is a DNS TXT record that lists which IP addresses and mail servers are allowed to send email for your domain. When a receiver gets an email claiming to be from your domain, it checks the SPF record to see if the sending server is authorized.
Hard fail vs soft fail
-all (hard fail) tells receivers to reject unauthorized emails. ~all (soft fail) tells receivers to accept but flag them. Hard fail is strictly more secure — use it once you've confirmed all your legitimate senders are listed.
SPF alone is not enough
SPF only validates the envelope sender (MAIL FROM), not the visible From: header that users see. An attacker can still forge the display address. That's why you need DMARC to tie SPF and DKIM together with a policy.
Common SPF mistakes
Too many DNS lookups (limit: 10), using +all (allows everyone), missing third-party senders (Mailchimp, SendGrid, etc.), and not setting a DMARC record to enforce the result. Our full scan catches all of these.
FAQ
Frequently asked questions
Is this SPF checker free?+
Yes. Check any domain's SPF record instantly — no signup, no credit card, no limits for reasonable use.
What does ~all mean in my SPF record?+
~all is a soft fail. It means "if the sender isn't in my list, flag it but don't reject it." This is the most common policy but it's permissive — switch to -all (hard fail) once you're confident all legitimate senders are listed.
How do I fix a missing SPF record?+
Add a TXT record at your domain's root with the value: v=spf1 include:_spf.google.com ~all (replace with your actual mail provider). Run a full CQwerty Shield scan for copy-paste instructions tailored to your setup.
What's the SPF 10-lookup limit?+
SPF records can include up to 10 DNS lookups (include:, a:, mx:, redirect=). Exceeding this causes a PermError which means your SPF record is invalid. Flatten your record if you're hitting the limit.
SPF Record Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →