SPF Analyzer

Check and validate SPF records for any domain. See which servers are authorized to send email.

Sender authorization

Instant results

Detects issues

SPF checks senders, not email quality

Even with perfect SPF, disposable emails slip through. Our API blocks 280,000+ temp email domains at signup.

What is SPF?

SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of your domain.

IP Authorization

SPF publishes a list of IP addresses and CIDR ranges that are allowed to send email for your domain. Receiving servers check this list to verify the sender.

Prevents Spoofing

Without SPF, anyone can send email pretending to be from your domain. SPF tells receiving servers to reject or flag unauthorized senders.

DNS-Based

SPF records are published as TXT records in DNS. They're simple to set up and don't require any changes to your mail server configuration.

Works with DKIM & DMARC

SPF is most effective when combined with DKIM (cryptographic signing) and DMARC (policy enforcement). Together, they provide comprehensive email authentication.

SPF FAQ

Common questions about SPF records and email authentication

What does an SPF record look like?

An SPF record is a TXT record that starts with v=spf1 followed by mechanisms that define authorized senders. A typical SPF record looks like: v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all

The mechanisms include: include: (authorize another domain's SPF), ip4: and ip6: (authorize specific IPs), a (authorize the domain's A record IPs), mx (authorize the domain's MX servers), and all (default policy for non-matching senders).

What do -all, ~all, and ?all mean?

The "all" mechanism at the end of an SPF record defines what happens to emails from servers not explicitly authorized:

-all (hard fail): Reject emails from unauthorized servers. This is the most secure option and recommended for production domains.

~all (soft fail): Accept but mark emails from unauthorized servers. Good for testing or when you're not 100% sure of all sending sources.

?all (neutral): No opinion on unauthorized servers. Provides essentially no protection.

+all (pass): Allow all servers. Never use this—it defeats the purpose of SPF entirely.

What is the 10 DNS lookup limit?

SPF has a limit of 10 DNS lookups to prevent denial-of-service attacks. Each include:, a, mx, ptr, and exists mechanism counts as one lookup. Additionally, included domains can have their own includes, which also count toward your limit.

If your SPF record exceeds 10 lookups, it will fail with a "permerror" result. To fix this, you can: flatten your SPF record (replace includes with direct IPs), remove unnecessary mechanisms, or use SPF flattening services that automatically maintain an optimized record.

Why is my SPF failing?

Common reasons for SPF failures include: sending from a server not listed in your SPF record (forgot to add a new email service), exceeding the 10 DNS lookup limit, syntax errors in the SPF record, or having multiple SPF records (you can only have one).

To debug, check the email headers for the SPF result and the IP address that was checked. Then verify that IP is covered by your SPF record. Also ensure you don't have multiple TXT records starting with v=spf1.

Does SPF prevent spam?

SPF alone doesn't prevent spam—it only verifies that an email was sent from an authorized server. A spammer can set up their own domain with a valid SPF record and send spam that passes SPF checks.

SPF is one layer of email security. For comprehensive protection, combine it with DKIM (which cryptographically signs emails) and DMARC (which tells receivers what to do with failed authentication). Even then, you need content filtering and reputation systems to catch spam from legitimate-looking sources. To prevent fake signups using disposable emails, use our email detector or integrate our API.