SPF Record Checker — Validate v=spf1 TXT Policies

SPF is a TXT record starting with v=spf1 listing mechanisms — ip4, include, mx, a, and a terminal all qualifier. During SMTP, receivers check whether the connecting IP matches an authorized mechanism. Failures contribute to spam folder placement or rejection depending on DMARC and local policy.

Our checker confirms the record exists at the domain apex, parses common tags into details, and runs validateSpf for syntax. It does not connect to your outbound SMTP host to prove alignment.

found true means a v=spf1 TXT appeared in root TXT answers. valid true means syntax passed our validator. found with valid false indicates a broken record receivers may treat as permerror — fix before bulk sends.

found false means no v=spf1 at the apex. Add SPF via your DNS host before marketing or transactional platforms send claiming the domain.

details may include parsed all qualifier (+all, -all, ~all, ?all), include targets, and ip4 lists when extractable. warnings flag common issues like excessive lookups risk or deprecated mechanisms.

Permissive +all or ?all weakens anti-spoofing even when valid true. Pair findings with email spoofing test and DMARC checker on the same domain.

email-deliverability awards up to 25 points for SPF — full when found and valid, partial when found but invalid, zero when missing. The score helps prioritize whether SPF is your only gap or one of several.

A perfect SPF score still needs DKIM, DMARC, and MX for the 80+ good tier. This page highlights SPF while JSON exposes the full picture.

Each include: mechanism triggers recursive DNS lookups during receiver evaluation. More than ten lookups yields permerror. Our checker does not recurse includes — manually audit deep chains or use flattening services when ESP documentation stacks many includes.

After adding includes from Google Workspace, Microsoft 365, or ESP vendors, re-run this checker and send test mail with Authentication-Results headers.

Mail from bounce.example.com may need SPF at that subdomain if Return-Path uses it. Enter the exact domain receivers evaluate in MAIL FROM, not only the marketing apex.

DMARC alignment may require organizational domain match — document both envelope and header domains when onboarding vendors.

Publish one SPF TXT per label — merging two v=spf1 strings invalidates both. Wait for TTL propagation after edits. Compare live value against our SPF record generator output before closing tickets.

Some DNS panels split long TXT into multiple strings — resolvers concatenate them. Our lookup presents combined answers as returned.

Draft policy client-side with SPF record generator, publish, then verify here. DMARC checker on this site uses the same email-deliverability API but emphasizes _dmarc policy rows.

Full authentication triage uses email-dns-health-check or spf-dkim-dmarc-checker when you need all three without SPF-only focus.

GET /ip-tools/api/extended?action=email-deliverability&domain=example.com returns emailDns.records with type SPF plus score. Automate post-deploy verification in CI after DNS Terraform applies.

Store SPF value and queriedAt in change-management systems for compliance evidence.

SPF TXT is public DNS data. Query domains you own or administer. We do not permanently store lookups.

SPF reveals mail vendor choices — handle exported JSON carefully in shared tickets.