Sender Policy Framework (SPF) Checker and Validator

Mechanism	Value	Copy
{{ t.qualifier + t.mechanism }}	{{ t.value }}

SPF Check	Result	Copy
{{ c.label }}	Pass Fail

Sender Policy Framework records state which servers may send mail for a domain and help receivers decide whether to accept a message. Checking this record clarifies who is authorized and highlights configuration risks that can weaken delivery.

Enter one domain and run a quick lookup so you see the published text and a readable breakdown of its parts. A Sender Policy Framework record checker for domains helps you spot issues early and understand the effect of each mechanism on delivery.

Results summarize the record, the time to answer, and the number of lookups it can trigger, followed by a pass or fail view of common pitfalls. You can reuse the parsed parts for audits and change tracking when planning updates with your team.

For a simple example, a domain that ends with a strict rule signals that only listed sources are allowed, while permissive endings may invite unwanted mail. Consistent entries and clear endings tend to reduce surprises for receivers.

Treat results as configuration feedback rather than proof of sender identity. Combine this check with other mail controls for a fuller picture.

Technical Details:

This tool inspects Sender Policy Framework (SPF) data published as Domain Name System (DNS) TXT records for a single domain. It retrieves answers through DNS over HTTPS (DoH), then selects the primary SPF line and parses it into qualifiers and mechanisms for interpretation.

The computation extracts the SPF string that starts with v=spf1, picks the longest such line when multiple are present, and splits it into tokens. From these tokens it estimates the DNS lookup count by tallying mechanisms that can induce lookups and evaluates a checklist of safety and hygiene rules.

Interpretation emphasizes three outcomes: whether a valid SPF line is present, whether the policy terminates cleanly, and whether the estimated lookup count stays within common operational limits. Borderline cases near limits should be reviewed before adding new includes or hosts.

Comparisons are meaningful when the domain and record text are unchanged and the same parsing and lookup rules are applied. Network timing varies with resolver conditions and should not be used as a reliability metric.

Processing Pipeline:

Build a DNS-over-HTTPS URL for the queried domain.
Request TXT answers with an Accept: application/dns-json header.
Collect lines that begin with v=spf1; choose the longest line.
Split the line into space‑separated tokens after v=spf1.
For each token, capture optional qualifier (+, -, ~, ?), mechanism, and value.
Estimate lookup count by counting mechanisms in {include, a, mx, ptr, exists, redirect}.
Evaluate checks: presence, header, single record, terminator, order, qualifiers, duplicates, deprecated use, lookup limit, permissive ending, and length.

Symbols & Units:

Symbols and units used in computation
Symbol	Meaning	Unit/Datatype	Source
`D`	Domain name	String	Input
`R`	Primary SPF record line	String	Derived
`T`	Time To Live	s	Derived
`t`	Lookup elapsed time	ms	Derived
`L`	Estimated DNS lookups	count	Derived
`n`	Record length	characters	Derived
`q`	Qualifier on a token	`+` \| `-` \| `~` \| `?`	Derived
`m`	Mechanism name	String	Derived

Worked Example:

R = "v=spf1 ip4:198.51.100.0/24 include:_spf.example.net ~all"

\begin{array}{lcl} L & = & 1 lookup terms \\ T & = & 3600 s \\ t & = & 45 ms \end{array}

Interpretation: The policy ends with ~all, the terminator is last, and the lookup estimate is modest. Tightening to -all would reject non‑listed senders.

Interpretation & Thresholds:

Operational thresholds derived from checks
Threshold Band	Lower Bound	Upper Bound	Interpretation	Action Cue
Lookup count safe	0	10	Within estimated DNS lookup budget.	Proceed; review before adding includes.
Record length safe	0	255	Fits a single TXT string.	Shorten if approaching the limit.
Terminator strict	~ or -	~ or -	Policy ends with `~all` or `-all`.	Avoid permissive endings.
`all` order	last	last	Ending mechanism appears last.	Move it to the end if needed.

Validation & Bounds (from code):

Validation rules and error messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Domain	String	1	—	Trailing dot removed	“Domain is required”, “No SPF record found”, “Lookup failed”	`example.com`

I/O Formats & Encoding:

Input/output behaviors
Input	Accepted Families	Output	Encoding/Precision	Rounding
Domain name	ASCII labels	SPF line, tokens, checks, TTL, time	UTF‑8 text; JSON and CSV available	Elapsed time rounded to nearest ms

Networking & Storage Behavior:

Performs a GET request to a DNS-over-HTTPS resolver endpoint with application/dns-json.
No server-side storage by this site; downloads and copies are created in the browser.
TTL is taken from the first DNS answer; timing is measured client‑side.

Performance & Determinism:

Parsing is linear in token count.
Given the same record text, tokenization and checks are deterministic.
Network time varies with resolver load and proximity.

Security Considerations:

Do not rely on a passing checklist as proof of sender legitimacy.
HTML rendering of prettified JSON is injected intentionally; trust only known-safe highlighters.
Avoid sharing sensitive internal hostnames in public forums when copying results.

Assumptions & Limitations:

Only the longest v=spf1 line is parsed when multiple lines exist.
Lookup count is estimated from mechanisms in the current line; includes are not expanded.
Macro evaluation is not performed.
Internationalized domains are not converted; use ASCII labels.
Record length check applies to a single TXT string.
Order check requires the ending mechanism to be last.
Deprecated ptr usage is flagged.
Heads‑up Timing reflects client conditions and resolver behavior.

Edge Cases & Error Sources:

Trailing dots are stripped; leading/trailing spaces invalidate input.
Multiple SPF lines may indicate misconfiguration; only one is treated as valid.
Multi‑string TXT records are not concatenated into one logical line.
Unknown mechanisms are parsed but not specially validated.
Permissive endings like +all are flagged.
Very long lines over 255 characters fail the length check.
Transient network errors yield a lookup failure message.
Resolver differences can change TTLs and timing.
Large token counts increase parsing time slightly.
Copy and download depend on clipboard and file APIs being available.

Privacy & Compliance:

Requests are sent from the browser to a public DNS over HTTPS resolver; the site does not retain inputs or outputs on a server. Use results responsibly and avoid exposing sensitive internal hostnames.

How‑to · Step‑by‑Step Guide:

Sender Policy Framework inspection produces a parsed record, an estimated lookup count, and a checklist summary.

Enter the domain you want to inspect.
Select validate to query DNS and collect TXT answers.
Review the record text and the list of parsed tokens.
Check the lookup estimate and the pass or fail items.
Copy the record or export summaries for change reviews.

Example: example.com returns a record that ends with -all, includes one include, and passes the lookup limit.

Prefer strict endings after testing legitimate senders.
Keep includes lean and documented.

You now have a concise view to decide whether to adjust sources or qualifiers.

FAQ:

Is my data stored?

No server stores your input or results; requests are made from your browser to a DNS resolver.

Clipboard and downloads stay on your device.

How accurate is the lookup count?

It counts mechanisms in the current line that induce DNS lookups. It does not expand includes, so treat it as a conservative estimate.

Complex include chains may change real resolver behavior.

What units are TTL and time?

TTL is in seconds from the DNS answer and time is milliseconds measured locally during the query.

Network and cache conditions affect both.

Can I use non‑ASCII domains?

Use ASCII labels. Internationalized names are not converted in this package.

Convert to ASCII externally before input.

Does it work offline?

No. A network request to a DNS resolver is required to read TXT records.

Try again when connected.

What does a “borderline” result mean?

Values near limits, such as lookup count close to 10 or record length near 255, are risky when adding new sources. Consider simplifying before expanding.

Re‑test after each change.

How do I validate a CSR?

This utility is for Sender Policy Framework records. Certificate signing requests are out of scope.

Use a dedicated CSR inspector.

What about cost or licensing?

No licensing terms are included in the package. Use is not gated by sign‑in or server access in this build.

Check your organization’s policies before distribution.

Troubleshooting:

“Domain is required” — enter a domain and try again.
“No SPF record found” — publish or correct the TXT record.
“Lookup failed” — retry later or switch networks.
Multiple SPF lines — consolidate to a single authoritative line.
Excess lookups — remove unused includes or switch to CIDR ranges.
Permissive ending — replace +all with ~all or -all after testing.
Long record — shorten mechanisms or move data to includes.

Blocking scenario: DNS resolver does not answer. Resolution is required before validation can proceed.

Glossary:

Sender Policy Framework (SPF): A policy that lists permitted mail sources for a domain.
Mechanism: A token in SPF that matches senders, such as a or mx.
Qualifier: A prefix that sets pass or fail behavior for a mechanism.
Time To Live (TTL): How long a DNS record may be cached by resolvers.
DNS over HTTPS (DoH): A way to query DNS using HTTPS transport.
Terminator: The ending policy such as ~all or -all that sets the default.