Check your SPF record now. We’ll translate the tech jargon for you.
Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report. Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report. Enter your domain to see if it’s vulnerable to spoofing or if others are sending emails on your behalf. Instantly check your DMARC, SPF, and BIMI status with a detailed security report. Not protected AGAINST IMPERSONATION ATTACKS DMARC NOT AT ENFORCEMENT Authentication Status for January 10, 2025 DMARC at Enforcement SPF Record Configured BIMI Ready Authentication Status for January 10, 2025 DMARC at Enforcement SPF Record Configured BIMI ReadyCheck your
domain nowYou’re not fully protected, learn more here.
Check your
domain nowYou’re not fully protected, learn more here.
Check your
domain nowYou’re not fully protected, learn more here.
Your Domain
exampledomain1.com
exampledomain1.com
Ever sent an important email only to discover it landed in someone’s spam folder? Or worse: had someone impersonate your domain and send emails pretending to be you? Chances are, your SPF record could be to blame.
SPF (Sender Policy Framework) is one of the most important factors in determining whether your emails reach their destination or disappear. It tells receiving mail servers which IP addresses are allowed to send email from your domain.
The problem is that SPF records look like someone just randomly threw together letters, colons, and IP addresses. Even worse, there’s a hidden limit of 10 DNS lookups that can break your authentication without warning if you exceed it.
No wonder so many domains have misconfigured SPF.
That’s exactly why we built this SPF checker. In seconds, it tells you if your domain has a working SPF record, whether it’s correctly configured, and (most importantly) if it’s actually protecting your domain from impersonation.
Below, we’ll show you how to use our SPF checker, what the results mean, and step-by-step instructions for fixing the most common problems.
What our SPF checker actually tells you
Running your domain through our SPF checker is about more than just getting a pass/fail result. This tool digs into your SPF configuration to show you exactly what’s working, what’s broken, and how to fix it.
Most checkers just tell you if an SPF record exists. Ours goes further by analyzing the actual effectiveness of your setup:
“Your SPF record has 12 lookups—exceeding the 10 lookup limit most mail servers enforce.”
“Your record includes overly permissive IP ranges that could allow spoofing.”
These insights help you understand not just whether you have SPF, but if it’s actually doing its job.
Authentication status at a glance
First up, you’ll see a clear status indicator showing if your domain is “Protected” or “Not Protected” against email spoofing. No technical jargon. Just a simple answer to whether your SPF is actually working.
The lookup counter (that might save your deliverability)
SPF has this sneaky 10 DNS lookup limit that can silently break your authentication when exceeded. Most IT folks discover this the hard way after wondering why their perfectly valid-looking SPF record isn’t working. Our checker counts these lookups for you and warns you before you hit that invisible wall.
Beyond just security, we explain how your current SPF setup might be affecting whether your emails reach their destination or land in spam folders. After all, what good is an email that never arrives?
Once you’ve reviewed your results, you can download a PDF report or email it to yourself (or your IT team) for later reference. And if problems show up, don’t worry. We’ll walk you through exactly how to fix them in a later section.
How to use the SPF record checker
So you’ve entered your domain name and hit that check button. Now what? Here’s how to make sense of what you’re seeing and actually do something useful with it.
Step 1: See what you’re working with
After you enter your domain and hit “Check,” you’ll get an instant snapshot of your SPF setup. Take a look at the actual SPF record we found: it’s that string of text starting with “v=spf1” that looks like it was written by someone with a broken keyboard.
If you don’t see anything here, congratulations! You’ve identified your first problem. You don’t have an SPF record at all.
Step 2: Count those lookups (seriously, this matters)
The number one silent killer of SPF records is exceeding the 10 DNS lookup limit. Our tool counts these for you, and if you’re over the limit, your SPF might as well not exist for many receiving mail servers.
Look for the lookup counter in your results. If it shows anything close to or over 10, that’s your top priority to fix.
Step 3: Check your protection level
Your SPF record ends with something like “-all” or “~all”—think of this as the security setting for your domain’s email. Here’s a translation:
- “-all” = reject everything not specifically allowed
- “~all” = suspicious, but might let some things slide
- “?all” = not sure what to do
- “+all” = come on in, everyone
We’ll tell you if your setting makes sense for your business or if you’re essentially leaving your email domain unprotected.
Step 4: Look for outdated services
Take a close look at the services listed in your SPF record (the parts after “include:”). Are you still using all of them? When IT teams set up new email services without cleaning up old ones, SPF records become bloated and ineffective. If you spot one you don’t recognize or no longer use, that’s cleanup work that’ll strengthen your SPF.
What to do with what you find
If you have no SPF record
Create one today. Right now. Like, after reading this paragraph. Even a basic SPF record is better than nothing. Start with:
v=spf1 include:_spf.google.com ~all(Substitute Google with your actual email provider)
If you’re over the lookup limit
You have two options:
- Clean up: Remove unnecessary services and consolidate includes.
- Get help: Use an SPF service (like ours) to automate your SPF record.
If your SPF is too permissive
Gradually tighten it up. Move from “+all” (allow everything) to “~all” (soft fail) first. Test for a week, then consider moving to “-all” (hard fail) for maximum protection.
If you see syntax errors
These need immediate attention. Even a single typo can invalidate your entire SPF record.
Before you go…
- Save your report. Use the download button to save a copy of your SPF analysis. It’s great documentation when you need to convince your IT team that email authentication deserves attention.
- Check quarterly. Set a reminder to run this check every three months. Email configurations drift over time as services get added or changed.
- Verify after changes. DNS updates take time to propagate (usually 24-48 hours). After making any changes, come back and check again to make sure everything’s working properly.
SPF checklist
Ready to get your SPF record in tip-top shape? Here’s a step-by-step checklist to make sure your email authentication is solid. Bookmark this page. You’ll want to return as you work through each stage of your SPF implementation.
1. Inventory your email senders
Before creating or updating your SPF record, take stock of all the services sending email from your domain:
- List all your mail servers and outbound email gateways
- Document third-party services that send email on your behalf (marketing platforms, CRM systems, support ticketing systems, etc.)
- Identify any cloud services or applications that send automated emails
- Check with department heads about any department-specific email tools
Missing just one legitimate sender can lead to authentication failures for valid emails, so be thorough.
2. Create your basic SPF record
Now that you know what should be authorized, it’s time to build your SPF record:
- Start with the version declaration: v=spf1
- Add your own mail servers using IP addresses or ranges: ip4:192.168.1.1 ip4:192.168.0.0/24
- Include third-party services using their mechanisms: include:_spf.google.com include:sendgrid.net
- End with an appropriate qualifier: -all (strict) or ~all (cautious)
If you’re not sure about a specific sender’s SPF mechanism, check their support documentation or contact them directly.
3. Check your record before publishing
Before going live, verify that your new SPF record is technically correct:
- Confirm the total length is under 255 characters (DNS limitation)
- Verify you have 10 or fewer DNS lookups (use our checker to count them)
- Check for syntax errors like missing spaces or incorrect formatting
- Test with our SPF checker to catch potential issues
Getting this right the first time prevents frustrating deliverability problems down the road.
4. Publish your SPF record
Make it official:
- Log into your DNS provider (GoDaddy, Cloudflare, AWS, etc.)
- Create a TXT record with host/name @ or blank (representing your root domain)
- Paste your SPF record as the value (without quotes—your DNS provider adds these automatically)
- Save changes and allow 24-48 hours for DNS propagation
5. Test and verify
After your record propagates, test to make sure it’s working:
- Run our SPF checker again to verify your record is visible
- Send test emails from your main email systems to external addresses
- Check email headers on received messages to confirm SPF is passing
- Test emails from third-party services to ensure they’re also passing SPF
If something’s not working, use the SPF checker to identify the specific issue rather than guessing.
6. Monitor and maintain
SPF isn’t a set-it-and-forget-it solution:
- Add new services to your SPF record as your email ecosystem evolves
- Remove obsolete services to prevent exceeding the 10 lookup limit
- Periodically check your SPF record (at least quarterly)
- Monitor email delivery rates and bounces for potential SPF issues
SPF record checker FAQ
Q: How often should I check my SPF record?
A: At minimum, check quarterly and after any changes to your email services. Email setups tend to drift over time as you add new marketing tools or change providers, and it’s surprisingly easy for SPF to break silently.
Q: Can I have multiple SPF records for one domain?
A: No. Multiple SPF records will cause authentication failures. If our checker finds more than one SPF record for your domain, you need to consolidate them immediately. Some DNS providers might let you create multiple records, but mail servers will see this as an error.
Q: What’s the difference between ~all and -all in my SPF record?
A: Think of ~all (soft fail) as a yellow light and -all (hard fail) as a red light. Soft fail suggests suspicious emails should be flagged but accepted, while hard fail tells receiving servers to reject unauthorized messages completely. Most organizations should start with ~all and move to -all after testing.
Q: Will fixing my SPF record stop all spam from appearing to come from my domain?
A: SPF helps, but it’s just one piece of the puzzle. For complete protection, you need the trio of SPF, DKIM, and DMARC working together. SPF alone can’t stop certain types of spoofing, particularly when attackers use domains that look similar to your exact domain.
Q: My SPF check shows “too many lookups.” What does this mean?
A: SPF has a hard limit of 10 DNS lookups per check. Each “include:” mechanism typically causes at least one lookup. When you exceed this limit, SPF checks fail completely for some recipients.
But if looking at DNS records makes your eyes glaze over, or if you’re managing multiple domains with complex email ecosystems, there’s a better way. Valimail Enforce puts your email authentication on autopilot with patented technology like Instant SPF™ that eliminates the 10-lookup limit and simplifies sender management.
Instead of constantly updating DNS records and tracking down IP addresses, you’ll get one-click authorization of pre-configured sending services and non-stop DMARC protection that stays current as your email ecosystem evolves.
Q: I made changes to my SPF record, but the checker still shows the old version. What’s happening?
A: DNS changes take time to propagate worldwide—typically anywhere from a few minutes to 48 hours. Our checker pulls live DNS data, so if you’re still seeing the old record, it means the update hasn’t fully propagated yet. Try again in a day if you’ve just made changes.
Q: Can I use SPF to authorize specific individual email addresses?
A: No. SPF works at the server level, not the individual email address level. It authorizes IP addresses or servers to send mail from your domain, but it can’t distinguish between different senders using the same server. For that level of control, you’d need to implement additional security measures beyond just SPF.
Stop wrestling with SPF records
SPF might feel like a technical headache, but it doesn’t have to be. Take 30 seconds to run your domain through our free SPF checker and find out where you stand. You’ll get a good idea of what’s working, what’s broken, and exactly what needs fixing.
If you want to dive deeper into your SPF records, create your free Valimail Monitor account and get access to our SPF Awareness.
This feature highlights the number of DNS lookups in your domain’s SPF record, showing whether your SPF authentication configuration contains too many links to additional providers.
Check your domain now to see your SPF status, or sign up for Valimail Monitor to get even more visibility into your sending services.
