Free SPF record checker. Fetches a domain's SPF record and walks every include and redirect the way a receiving mail server would, counting DNS lookups against the RFC 7208 limit of 10 (the most common silent SPF failure). Flags permerrors: multiple SPF records, broken includes, circular references, syntax errors, the deprecated ptr mechanism, and dangerous +all policies. Runs from our London probe. Useful for email deliverability debugging and pre-flight checks before DNS changes.
SPF (Sender Policy Framework) is a single TXT record that lists which servers are allowed to send email using your domain. It starts with v=spf1 and ends with an all mechanism that sets the default: -all (hard fail, reject everything else), ~all (soft fail, mark as suspicious), or the risky +all (allow anyone). A receiving server checks the sending IP against your ip4, a, mx, and include mechanisms in order and stops at the first match. This checker walks that same path so you see exactly what a mail server sees.
RFC 7208 caps an SPF evaluation at ten DNS lookups. Every include, a, mx, ptr, and redirect counts, and each one can pull in more from your providers. Add a few SaaS senders and you quietly cross the limit, which produces a permerror and causes SPF to fail even though the record looks fine. This is the single most common SPF failure and it appears without warning. The tool counts every lookup as it expands each include and flags the record before you hit the ceiling.
It also catches the other permerrors: more than one SPF record on the domain (which invalidates all of them), broken or circular includes, syntax errors, the deprecated ptr mechanism, and a dangerous +all that authorizes the entire internet to spoof you.
SPF (Sender Policy Framework) is a DNS TXT record that lists the servers authorized to send email for your domain. Receiving mail servers check the sending IP against it to help detect spoofing.
RFC 7208 limits an SPF check to ten DNS lookups. Every include, a, mx, ptr, and redirect mechanism counts. Exceeding it produces a permerror and causes SPF to fail, which is the most common SPF problem.
Both set the default for servers not otherwise authorized. -all is a hard fail that tells receivers to reject the mail, while ~all is a soft fail that tells them to accept but mark it as suspicious. -all is the stricter, recommended setting once you are confident your record is complete.
No. A domain must have exactly one SPF record. If two v=spf1 TXT records exist, the standard requires receivers to treat it as a permerror, which breaks SPF entirely. Merge them into a single record.