SPF Record Checker

Look up a domain published SPF record and check it for the common faults that break email authentication. The checker finds the v=spf1 TXT record, lists every mechanism, counts the DNS-lookup terms against the 10-lookup limit from RFC 7208, and flags a missing record, multiple records or a weak all policy. Live and private in your browser.

Read the guide: How to Check an SPF Record
Enter a domain to look up its published SPF record and count the DNS lookups it uses.

How it works

  1. 1

    Enter the domain

    Type the domain whose SPF you want to inspect, such as example.com. You do not need the full hostname.

  2. 2

    Run the check

    Press Check SPF or hit Enter. The tool queries the domain TXT records over secure DNS and picks out the SPF record.

  3. 3

    Read the breakdown

    See each mechanism, how many of the 10 allowed DNS lookups it uses, the all policy, and any warnings worth fixing.

Instant & 100% private — nothing is uploaded

Everything runs locally in your browser. Your code, text and files are processed on your own device and are never sent to a server — so there are no upload waits, no size limits from us, and nothing is ever stored or logged.

Frequently asked questions

What is the SPF 10-lookup limit?
RFC 7208 caps the number of DNS lookups an SPF record may trigger at 10. The include, a, mx, ptr, exists and redirect mechanisms each cost a lookup; ip4, ip6 and all do not. Past 10, receivers must return a PermError and may treat your mail as unauthenticated. The checker counts these terms so you can see how close you are.
Why can a domain only have one SPF record?
SPF defines the policy in a single TXT record that begins with v=spf1. If a domain publishes two, receivers cannot tell which to use and the result is a PermError, so SPF effectively stops working. If you need to allow more senders, merge them into one record using include, rather than adding a second record.
What does the all mechanism mean?
The all mechanism is the catch-all at the end of the record. -all (fail) tells receivers to reject anything not already matched, ~all (softfail) tells them to accept but mark it, and +all passes everything and gives no protection. Most domains should end in -all or ~all once they are confident the rest of the record is complete.
Does the checker send my domain anywhere?
The lookup runs in your browser and queries a public DNS resolver over a secure connection to read the domain TXT records. We do not store the domain you enter or keep a log of the result.

More tools

JSON Formatter & ValidatorBeautify, minify, validate JSON with a collapsible tree view.Code Formatter & MinifierPretty-print or minify JS, TS, CSS, HTML, JSON, SQL and more.YAML ⇄ JSON ⇄ TOML ConverterConvert config between YAML, JSON and TOML, both ways.JSON Schema Viewer & ValidatorRender a JSON Schema as a tree and validate data against it.Markdown Editor (Live Preview)Write Markdown with a live, side-by-side HTML preview.Mermaid Live EditorTurn Mermaid text into flowcharts and diagrams, live.

More from the Hivly network

Free sister tools on our other sites.

Color Palette GeneratorShuffle palettes with the spacebar, lock favourites, copy hex codes.Length ConverterMetres, feet, miles, inches, km and more, instantly.Word CounterCount words, characters, sentences and reading time live.