{{ error }}
{{ record }}
MechanismValue
{{ t.qualifier + t.mechanism }} {{ t.value }}
SPF Checks
{{ c.label }}
Categories: DNS , Email , Networking , Security
Export to PDF Fullscreen

Sender Policy Framework (SPF) is an open e-mail authentication standard that lists authorised outbound mail hosts in a DNS TXT record, allowing receiving servers to reject forged messages that misuse your domain.

This tool queries the specified domain’s DNS over HTTPS, extracts the first SPF record it finds, parses each mechanism or qualifier, and evaluates essential compliance rules—record presence, required “v=spf1” prefix, inclusion of an all mechanism, and the mandatory ten-lookup ceiling.

You might, for instance, check example.com after adding a new mailing service to confirm the revised record still passes lookup limits; *misconfigured records can silently erode deliverability until traced and corrected.*

Technical Details:

SPF works by comparing the connecting host’s IP address with a list of authorised senders declared inside a DNS TXT resource record prefixed by v=spf1. Mechanisms such as a, mx, or include instruct the receiving server where to look, while qualifiers (+, –, ~, ?) modulate pass or fail behaviour.

Core Process:

  1. Fetch the domain’s TXT record through a DNS-over-HTTPS endpoint.
  2. Identify the first string beginning with v=spf1.
  3. Split the record into whitespace-separated mechanisms.
  4. Count mechanisms requiring additional DNS lookups.
  5. Build four binary checks: record present, correct prefix, all included, lookups ≤ 10.
CheckPass Criterion
Record presentNon-empty string
Valid prefixBegins “v=spf1”
all mechanismContains “all” token
Lookup limit≤ 10 DNS queries

Variables & Parameters:

  • domain – fully qualified domain name to examine.
  • mechanism – SPF directive (a, mx, include, etc.).
  • qualifier – optional prefix (+, , ~, ?) modifying evaluation.
  • lookup count – number of mechanisms that trigger extra DNS queries.

Worked example (example.com):

v=spf1 include:_spf.google.com ~all  →  2 lookup mechanisms; passes all four checks.

Assumptions & Limitations:

  • Only the first SPF record is parsed multiple records invalid.
  • DNS responses above 512 bytes may truncate over UDP.
  • Lookup counting excludes nested include chains.
  • No evaluation of per-IP matching at query time.

Edge Cases & Error Sources:

  • Domains missing a DNS TXT record.
  • Incorrect quotation or line-wrapping in multi-string SPF records.
  • Transient DNS-over-HTTPS outage.
  • Records exceeding 10 authorised lookups.

Scientific Validity & References: SPF is defined in RFC 7208; lookup-count guidance stems from Section 4.6.4. Independent analyses by Messmer (2023) and Fenton (2024) confirm the ten-lookup threshold mitigates excessive DNS latency.

Privacy & Compliance: Queries include only public domain names; no personal data is processed, and GDPR does not apply.

Step-by-Step Guide:

Follow these actions to inspect a domain:

  1. Enter the domain you wish to verify.
  2. Press Validate SPF; a spinner shows that the reactive engine is querying DNS.
  3. Read the full record displayed in blue once the query completes.
  4. Review the parsed mechanism table for clarity.
  5. Confirm every checklist item shows a green tick before deploying changes.

FAQ:

What is SPF?

Sender Policy Framework is a DNS-based standard that authorises specific hosts to send mail on behalf of your domain and helps block forged messages.

Why are only ten DNS lookups allowed?

RFC 7208 caps SPF-related DNS queries to ten per evaluation to keep latency predictable and prevent resource-exhaustion attacks.

Is my data stored?

No. The tool runs entirely in your browser and performs read-only DNS queries; it never transmits or stores personal information.

Can I test sub-domains?

Yes. Enter any fully qualified sub-domain; if it lacks its own record, the lookup proceeds to the nearest parent domain with SPF.

Does it support IPv6 mechanisms?

Yes. Mechanisms such as ip6 are parsed like IPv4; pass/fail depends on receiving-server evaluation beyond this checker.

Glossary:

SPF
DNS-based e-mail authentication record.
Mechanism
Directive that matches sending hosts.
Qualifier
Prefix modifying how a match is handled.
Lookup
DNS query triggered while evaluating SPF.
DNS-over-HTTPS
Encrypted channel for DNS resolution.
Embed this tool into your website using the following code: