Free Tool

SPF authentication validator

Verify SPF record syntax, count DNS lookups, and identify authorization gaps. Catch errors before emails fail authentication.

Domain to analyze

What It Does

Parse and validate your domain's SPF record with precision. Our checker retrieves your DNS TXT record, validates every mechanism, counts lookups (critical—must stay under 10), and verifies your policy setting.

See exactly which IPs and services are authorized, plus get instant warnings for syntax problems or lookup overages.

Why It Matters

Invalid SPF = instant spam folder. Receiving servers check SPF first—if it fails, your email is toast.

Exceeding the 10-lookup limit breaks authentication entirely, even if everything else is perfect. Most teams add service after service without realizing they've blown past the limit until deliverability crashes.

Key Features

Live DNS record retrieval

Full syntax validation with error pinpointing

DNS lookup counter (warns at 8, fails at 10+)

Mechanism breakdown: see every include, ip4, ip6, mx

Policy analysis: explains ~all vs -all vs +all

Service detection: identifies Google, Office 365, SendGrid, etc.

How To Use

1Enter your sending domain
2Click "Validate SPF"
3Check validation status (Pass/Warning/Fail)
4Review DNS lookup count—must be ≤10
5Verify all your sending services are included
6Confirm policy ends with ~all or -all (never +all)

Common Issues Detected

SPF record doesn't exist
Too many DNS lookups (>10 = broken)
Missing "all" mechanism (required at end)
Include chains causing lookup explosion
Typos in include statements
Dangerous +all policy (allows anyone)
Multiple SPF records (only one allowed per RFC)

Best Practices

Keep lookups between 5-8 (buffer for future services)
Replace includes with IP addresses where possible
Use ~all for most domains (softfail)
Use -all only after thorough testing (hardfail)
Never use +all (pass all—major security risk)
Remove old services immediately
Check after every provider change