FREE TOOL

SPF authentication validator

Verify SPF record syntax, count DNS lookups, and identify authorization gaps. Catch errors before emails fail authentication.

What It Does

Parse and validate your domain's SPF record with precision. Our checker retrieves your DNS TXT record, validates every mechanism, counts lookups (critical—must stay under 10), and verifies your policy setting. See exactly which IPs and services are authorized, plus get instant warnings for syntax problems or lookup overages.

Why It Matters

Invalid SPF = instant spam folder. Receiving servers check SPF first—if it fails, your email is toast. Exceeding the 10-lookup limit breaks authentication entirely, even if everything else is perfect. Most teams add service after service without realizing they've blown past the limit until deliverability crashes.

Key Features

Live DNS record retrieval
Full syntax validation with error pinpointing
DNS lookup counter (warns at 8, fails at 10+)
Mechanism breakdown: see every include, ip4, ip6, mx
Policy analysis: explains ~all vs -all vs +all
Service detection: identifies Google, Office 365, SendGrid, etc.
Lookup path visualization

Common Issues Detected

SPF record doesn't exist
Too many DNS lookups (>10 = broken)
Missing "all" mechanism (required at end)
Include chains causing lookup explosion
Typos in include statements
Dangerous +all policy (allows anyone)
Multiple SPF records (only one allowed per RFC)

Best Practices

Keep lookups between 5-8 (buffer for future services)
Replace includes with IP addresses where possible
Use ~all for most domains (softfail)
Use -all only after thorough testing (hardfail)
Never use +all (pass all—major security risk)
Remove old services immediately
Check after every provider change

How To Use

Enter your sending domain
Click "Validate SPF"
Check validation status (Pass/Warning/Fail)
Review DNS lookup count—must be ≤10
Verify all your sending services are included
Confirm policy ends with ~all or -all (never +all)

Understanding SPF records

SPF (Sender Policy Framework) records are DNS entries that specify which mail servers are authorized to send emails from your domain. They help prevent email spoofing and improve deliverability by allowing receiving servers to verify legitimate senders.

How SPF works

DNS publication

You publish a TXT record listing authorized sending sources.

Email verification

Receiving servers check if the sender is in your SPF record.

Policy enforcement

Unauthorized emails are handled per your policy (~all, -all, etc).

Benefits of SPF

Prevents spoofing

Makes it harder for attackers to forge emails from your domain.

Improves deliverability

Legitimate emails are more likely to reach the inbox.

Domain protection

Protects your domain reputation from abuse by spammers.

ANALYSIS RESULTS

example.com

SPF Record

Valid

DNS TXT record that specifies authorized mail servers

Analysis Details

DNS Lookups

out of 10 max

SPF records are limited to 10 DNS lookups to prevent infinite loops

Policy Mode

Authorized Mechanisms

No mechanisms found

We’ve got you covered

Are domains included in the package, or do I need to buy them myself?

You have 2 options on ScaledMail. You can purchase domains via ScaledMail and either use right away...or age them for use later. Aged domains have quite a few deliverability benefits! You can also use domains that you already own elsewhere on another registrar like GoDaddy or NameCheap. Our team can set up the DNS records for those domains for you and create your inboxes for sending!

Do I still need to warm up with ScaledMail accounts?

Both yes and no. While many users start sending emails right away, we’ve seen better results when accounts are warmed up for two weeks. We recommend warming up your accounts before sending.

Can I start sending from day one without warming up?

Yes, you can start sending 2 emails per day per ScaledMail account without warming up. However, we strongly recommend warming up your accounts for the best results.

Can I use domains I’ve previously used, or do I need new ones?

Yes, you can use existing domains if they aren’t damaged. That said, we recommend purchasing fresh domains since they generally perform better.

Why do we use 49 users per domain with Microsoft accounts?

This approach balances volume and safety. By sending just 2–5 emails per day per inbox, we rely on more inboxes per domain to increase overall capacity. This setup outperforms the traditional 2–3 inboxes per domain. While some competitors use 99+ inboxes per domain, this burns domains faster. We’ve found 49 inboxes to be the perfect balance.

Does ScaledMail offer Google and Microsoft accounts?

Yes, we do. We provide both Google and Microsoft accounts to ensure a diversified and stable cold email infrastructure.

How many emails can I send per ScaledMail Microsoft and Google account?

. Microsoft: Up to 15 emails/day per microsoft account (including warm-up)
.Google: Up to 25 emails/day per google account.

How does ScaledMail’s deliverability compare to other providers?

ScaledMail offers best-in-class deliverability, thanks to our advanced setup techniques and the reliability of Microsoft infrastructure.

Are the inboxes hosted on shared or private infrastructure?

Each customer is assigned separate and isolated tenants, so the infrastructure is not shared. Additionally, Microsoft rotates the tenant IP every 15 days for added security and reliability.