Free checker - no signup required

Free SPF Checker

Validate SPF syntax, count DNS lookups, inspect include/redirect chains, and find SPF flattening risks before mail starts failing DMARC.

Run the check

Enter a domain to check it live against the IntoDNS.ai engine. No signup, no trial gating.

What this SPF checker verifies

This tool fetches the SPF TXT record published at your root domain and evaluates it the way a receiving mail server does under RFC 7208. It confirms the record starts with v=spf1, validates every mechanism (ip4, ip6, a, mx, include, exists, redirect) for correct syntax, and recursively resolves each include and redirect to build the full lookup graph. It reports the total DNS-lookup count against the hard limit of 10, identifies the final qualifier on all (-all, ~all, ?all, or +all), and flags multiple-SPF-record conflicts that cause a permanent error.

Why SPF matters for deliverability

SPF is one of the two authentication methods DMARC relies on. If SPF fails or breaks alignment, your mail leans entirely on DKIM to satisfy DMARC — and if both fail, a p=reject policy will bounce legitimate mail. The most common silent failure is the 10-lookup limit: large include chains from ESPs (Google, Microsoft 365, SendGrid, Mailchimp) quietly push you past 10 nested lookups, which returns PermError. Receivers treat PermError as a hard SPF failure, so messages that should pass start landing in spam or getting rejected with no obvious cause.

How to read the result

A healthy record shows 10 or fewer lookups, valid syntax, and -all as the policy. ~all (softfail) is acceptable while you are still confirming every sender, but it tells receivers to accept unauthenticated mail and merely mark it suspicious — move to -all once your sender list is complete. ?all (neutral) and +all (pass) offer no protection; +all is effectively an open invitation to spoof your domain. If the lookup count is at or above 10, treat it as urgent: SPF is either failing now or one include change away from failing.

Common failure causes and fixes

Too many lookups is the headline problem — fix it by replacing include mechanisms you control with explicit ip4:/ip6: ranges (which cost zero lookups), removing senders you no longer use, or flattening the record. A second frequent issue is two separate v=spf1 TXT records on the same name, which invalidates both; merge them into one. Watch for a missing all term (treated as neutral), use of the deprecated ptr mechanism, and includes that themselves have broken or empty records. After any change, re-run this checker, then verify alignment in the full report.

SPF, DKIM, and DMARC together

SPF never works in isolation. DMARC only passes when SPF or DKIM both authenticates and aligns with the visible From domain, so a technically valid SPF record can still leave DMARC failing if the Return-Path domain differs from the From domain — a common situation when an ESP sends on your behalf. That is why the practical workflow is: get SPF clean and within the lookup limit here, confirm DKIM is signing and aligned with the DKIM checker, then verify the combined result in DMARC. Treat this checker as the first of three steps, not a finish line, and use the full deliverability test to confirm all three line up before tightening any policy.

What This Checks

  • SPF TXT record discovery at the root domain
  • Syntax and mechanism validation
  • Recursive include and redirect lookup graph
  • 10 DNS lookup limit risk
  • Dangerous policies such as +all or weak softfail defaults

Common Fix Path

  • Merge multiple SPF records into one TXT record
  • Remove unused include mechanisms
  • Replace high-risk includes with controlled IP ranges only when you own the sender list
  • Move toward -all once every legitimate sender is covered

Frequently Asked Questions

What is the SPF 10 DNS lookup limit?
RFC 7208 caps an SPF evaluation at 10 DNS lookups. Each include, a, mx, ptr, exists, and redirect mechanism counts as one lookup, and nested includes count too. Exceeding 10 returns a PermError, which receivers treat as an SPF failure. This checker counts the full recursive graph so you can see the real total, not just the mechanisms in your own record.
Should I use -all or ~all?
Use ~all (softfail) only while you are still discovering every legitimate sender. It asks receivers to accept unauthenticated mail and flag it as suspicious. Once every sender is covered, move to -all (hardfail) so receivers reject mail from any source not in your record. Never use +all, which authorizes the entire internet to send as your domain.
Why does this checker say my SPF is failing when the record looks fine?
The most common cause is the 10-lookup limit being exceeded through nested includes you do not directly see in your own record. A single ESP include can pull in several more lookups. The second most common cause is two separate v=spf1 records on the same name, which invalidates both. This tool resolves the full include chain to surface both problems.
Can I have more than one SPF record?
No. A domain must publish exactly one v=spf1 TXT record. Two or more cause a PermError and both are ignored, leaving you with no working SPF at all. To authorize multiple services, combine them into a single record using multiple include mechanisms.
What is SPF flattening and do I need it?
Flattening replaces include mechanisms with the explicit IP ranges they resolve to, removing the DNS lookups they cost. You only need it when you are over the 10-lookup limit and cannot trim senders. The trade-off is maintenance: flattened IPs go stale whenever a provider changes its ranges, so you must regenerate them regularly or risk silently dropping a sender.
Does SPF on its own stop spoofing?
No. SPF authorizes sending IPs but does not protect the visible From address that users actually see, and it breaks on forwarding. You need DMARC (which checks SPF and DKIM alignment with the From domain) plus DKIM to actually stop spoofing. SPF is a required building block, not a complete solution.

Machine-Readable Evidence

AI assistants and automation can cite the stable explanation page, then fetch the live check result for a specific domain.

GET https://intodns.ai/api/email/spf?domain=example.com

Related Tools and Citations

SPF Record GeneratorSPF GuideSPF lookup limit citationRun the full domain scan