SPF Validation Report

Current SPF target

Domain:

Enter one domain such as example.com; pasted http(s) URLs are reduced to the hostname.

Resolver:

Choose Cloudflare DNS or Google Public DNS for the TXT lookup and expansion trace.

Expansion depth:

Use 1 to 15 levels; start with 8 unless a policy is unusually nested.

levels

Expansion nodes:

Use 5 to 80 domains; higher values reveal more trace rows but cost more DNS lookups.

domains

Qualifier	Term	Value	Lookup cost	Copy
{{ row.qualifier }}	{{ row.term }}	{{ row.value }}	{{ row.lookupCost }}

Check	Status	Notes	Copy
{{ row.label }}	{{ row.status }}	{{ row.note }}

Depth	Via	Domain	Lookups	Notes	Copy
{{ row.depth }}	{{ row.via }}	{{ row.domain }}	{{ row.totalLookups }}	{{ row.note }}

No lookup budget rows are available for the current SPF lookup.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

SPF reviews usually start with a small change that looks harmless. A domain adds a help desk, a billing platform, a newsletter sender, a CRM, or a new outbound gateway, and the vendor asks for one more include in DNS. After enough of those changes, the policy can still look short in the zone file while the expanded SPF path has become difficult to reason about.

Sender Policy Framework (SPF) is a DNS-published authorization policy for the SMTP envelope identity, not for the visible message text. A receiving mail server checks the connecting host against the policy for the domain being evaluated and returns a result such as pass, fail, softfail, neutral, none, temporary error, or permanent error. The result helps receivers decide whether the host was expected to send for that domain.

The biggest practical misunderstanding is treating SPF as a whole-message authenticity stamp. SPF does not prove that the visible From address belongs to the sender, does not validate message content, and does not survive every forwarding path. DMARC can use SPF only when the authenticated envelope domain aligns with the visible From domain, so an SPF pass on the wrong domain may not help the message pass DMARC.

SPF terms and the decisions they affect
SPF ingredient	What it controls	Common review risk
Mechanisms	Terms such as `ip4`, `ip6`, `a`, `mx`, `include`, `exists`, and `all` describe matching routes.	DNS-triggering mechanisms can consume the shared lookup budget.
Qualifiers	`+`, `-`, `~`, and `?` set the result when a mechanism matches.	A missing qualifier means pass, which can make an accidental permissive term stronger than expected.
Modifiers	`redirect` can continue policy evaluation at another domain.	Policy control moves out of the root record while still using the same lookup budget.
Terminal policy	The final `all` term says what happens after earlier mechanisms do not match.	`+all`, `?all`, or no `all` can leave unauthorized mail less clearly rejected.

SPF also has a hard resource limit. Terms that can trigger DNS work share a maximum of 10 lookups across the root record and the policies reached through includes or redirects. A record with only two visible includes may still exceed the limit when those providers publish nested includes of their own.

A useful SPF review separates three questions. First, does the domain publish exactly one SPF-looking TXT record? Second, does the expanded policy stay within the DNS lookup limit? Third, does the terminal policy match the domain's rollout stage and risk tolerance? Those answers do not replace live message testing, but they catch the structural problems that make live testing unreliable.

How to Use This Tool:

Use the lookup as a structural SPF audit before changing DNS or adding another sender.

Enter the DNS domain in Domain. A clean value such as example.com is best, although pasted http or https addresses are reduced to their hostname.
Choose Validate SPF. If the field reports Enter a valid domain such as example.com., remove mailbox text, spaces, paths, or single-label hostnames.
Use Advanced when the resolver or trace limits matter. Resolver can use Cloudflare DNS, Google Public DNS, or Quad9 DNS. Expansion depth accepts 1 to 15 levels, and Expansion nodes accepts 5 to 80 domains.
Read the summary badges first. They show whether the record is coherent, has review notes, or needs attention, plus the lookup count, terminal policy, and trace-row count.
Open Directive Breakdown to inspect each parsed qualifier, term, value, and lookup cost from the selected SPF record.
Use Validation Notes to prioritize action. Duplicate SPF records and over-limit policies should be fixed before weaker rollout choices such as ?all or redirect delegation.
Open Expansion Trace and Lookup Budget Map when the count is high. The trace and chart show which include or redirect branch is using the most lookup budget, and the table or JSON output can be copied or downloaded for change notes.

After editing DNS, rerun the same domain with the same resolver. If another resolver still shows the old answer, wait for DNS cache expiry before making another policy change.

Interpreting Results:

The top status is a DNS policy review. SPF record is coherent means the selected record parsed cleanly, used no more than 10 counted DNS-triggering terms, and avoided the flagged policy patterns. SPF has review notes means the policy can be read but contains choices worth checking. SPF needs attention marks conditions that can break evaluation or push receivers toward a permanent error.

SPF validation outputs and next actions
Output cue	Meaning	Useful follow-up
`Record count`	Exactly one `v=spf1` TXT value is the expected publication shape.	Merge duplicate SPF TXT values into one record before tuning individual mechanisms.
`Lookup budget`	The expanded trace is counted against the SPF limit of 10 DNS-triggering terms.	Flatten, replace, or remove includes when the count is near 10, and treat counts above 10 as repair work.
`Terminal policy`	`-all` and `~all` are treated as healthy endings. Missing, neutral, or pass-all endings are review cues.	Use `~all` during cautious rollout and `-all` only after legitimate senders are accounted for.
`PTR mechanism`	A `ptr` mechanism appears in the root policy.	Prefer explicit IP ranges, provider includes, `a`, or `mx` guidance instead of reverse-DNS matching.
`Redirect usage`	A redirect modifier delegates policy evaluation to another domain.	Confirm that the redirected policy stays under the shared lookup limit and is controlled by a trusted party.
`Expansion Trace`	Include and redirect branches were followed until a depth limit, node limit, cycle, macro reference, or missing child policy stopped traversal.	Increase limits or manually inspect skipped branches when the trace says the shown path is incomplete.

A healthy structural review does not guarantee that every message will pass. Real delivery still depends on the sending IP, envelope domain, forwarding path, HELO identity, DKIM signatures, and DMARC alignment with the visible From domain.

Technical Details:

An SPF policy is selected from TXT records whose value begins with v=spf1. If no matching value exists, SPF returns none. If more than one matching value exists for the same owner name, SPF evaluation produces a permanent error before any sender IP is considered.

Term evaluation is ordered from left to right. A mechanism can match a sender, fail to match, or trigger a DNS lookup that affects the shared processing limit. The qualifier on the matching mechanism determines the SPF result: + for pass, - for fail, ~ for softfail, and ? for neutral. When a qualifier is omitted, SPF uses +.

Lookup Core:

The DNS lookup budget counts terms that can require additional DNS work. The root record and every followed include or redirect branch share the same budget, so nested provider policies can consume the limit even when the root record looks simple.

L = \sum_{i = 1}^{n} c (t_{i})

c (t) = 1 when t \in {include, a, mx, ptr, exists, redirect}; otherwise 0

SPF term handling and lookup cost
Term	Lookup cost	Review behavior
`include`	1	Counted and followed into the referenced policy when the value is a plain domain and trace limits allow it.
`redirect`	1	Counted, followed as another SPF policy, and flagged because policy responsibility moves to another domain.
`a`, `mx`, `ptr`, `exists`	1	Counted where they appear, but not expanded into address, MX, reverse-DNS, or exists-query subtrees in the trace.
`ip4`, `ip6`, `all`	0	Parsed for policy meaning without adding DNS-triggering lookup cost.

TXT answers can be split into quoted fragments in DNS. The fragments are joined before the SPF value is detected, then the first SPF-looking record is parsed for directive detail while the record-count check still reports how many SPF-looking values were present.

The expansion trace follows include and redirect references recursively. It stops when it reaches the selected depth limit, reaches the selected node limit, detects a cycle, finds no SPF record at a child domain, or sees a macro-style value that cannot be reduced to one stable lookup name. The root trace row carries the accumulated lookup count from the followed branches.

SPF structural checks and healthy conditions
Check	Healthy condition	Why it matters
Record count	Exactly one `v=spf1` TXT value is found.	Duplicate SPF records can force a permanent error.
Lookup budget	The expanded count is 10 or lower.	Receivers must protect themselves from unbounded DNS work.
Terminal policy	The last `all` mechanism is `-all` or `~all`.	Missing, neutral, or pass-all endings make the final decision less clear.
PTR mechanism	No `ptr` mechanism appears.	PTR-based matching is discouraged because it is slow, fragile, and DNS-heavy.
Redirect usage	No root redirect modifier appears.	Redirect can be valid, but it delegates policy control and still consumes lookup budget.

A simple substitution illustrates the count. If the root record has ip4, include, and all, and the included child policy has a, mx, and all, the counted total is 0 + 1 + 0 + 1 + 1 + 0 = 3. The result is under the SPF limit, but another nested include could change the answer without making the root record much longer.

Limitations and Privacy Notes:

The result is a live DNS policy review, not an SMTP-session test.

The queried domain is sent to the selected public DNS-over-HTTPS resolver.
The trace follows only include and redirect references. a, mx, ptr, and exists increase the count but are not dereferenced into detailed DNS trees.
Macro references are skipped in the expansion trace because their final lookup names can depend on message-time values.
No sending IP address, SMTP HELO identity, forwarding path, DKIM signature, or DMARC alignment is tested.
Resolver caches can disagree after DNS edits, so compare repeated checks with the same resolver before deciding whether a change has propagated.

Worked Examples:

Adding one hosted sender:

A domain publishes v=spf1 ip4:198.51.100.0/24 include:_spf.mail.example -all. The root record has one counted term because include costs 1 while ip4 and all cost 0. If the included policy contains a mx -all, the expansion adds two more counted terms and the lookup budget becomes 3/10.

A record near the limit:

A marketing stack with several provider includes may show Lookup budget as 9/10. The record is still inside the formal limit, but Lookup Budget Map should be checked before another sender is added. One nested provider change can move the policy from healthy to over limit.

Duplicate SPF publication:

If the TXT answer set contains two values that begin with v=spf1, Record count becomes Needs attention. A directive table can still show one record for inspection, but the duplicate must be merged or removed before the domain can be treated as SPF-valid.

Trace stopped before the full chain:

A deeply nested provider chain can reach the chosen depth or node limit. That note does not prove the live policy is safe or unsafe. It means the displayed count is bounded by the selected trace settings, so rerun with larger limits or manually inspect the skipped branch.

FAQ:

Does a coherent SPF record mean my mail will pass?

No. The result checks the published SPF policy structure. A message can still fail if it leaves through an unauthorized IP address, uses a different envelope domain, breaks during forwarding, or lacks DMARC alignment with the visible From domain.

Why is the SPF lookup limit 10?

SPF limits DNS-triggering terms so receivers are not forced into unbounded DNS work. The counted terms are include, a, mx, ptr, exists, and redirect.

Why does the trace skip macro references?

SPF macros can depend on values from a real message and SMTP session. A static domain review cannot safely turn them into one plain child domain, so a skipped macro row should be treated as a manual-review cue.

Should every redirect be removed?

No. A redirect can be a valid way to delegate SPF policy control. It is flagged because the redirected policy still shares the same 10-lookup budget and can change outside the root domain's visible TXT record.

Why did a pasted URL become just a domain?

SPF is published at a DNS owner name, not at a web page path. The domain field reduces pasted http and https values to a hostname before lookup.

Glossary:

SPF: Sender Policy Framework, a DNS-published policy that authorizes mail hosts for a domain identity.
Envelope domain: The SMTP identity checked by SPF, commonly associated with the MAIL FROM or return-path domain.
Mechanism: An SPF term such as include, ip4, mx, or all that can match a sender or define fallback behavior.
Qualifier: The optional symbol before a mechanism that sets the SPF result when that mechanism matches.
Redirect: An SPF modifier that continues policy evaluation at another domain after local mechanisms are considered.
Terminal policy: The final all mechanism, such as -all or ~all, used after earlier mechanisms do not match.
DMARC alignment: The requirement that an authenticated SPF or DKIM domain line up with the visible From domain for DMARC evaluation.

References:

RFC 7208: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1, IETF, April 2014.
RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC), IETF, March 2015.
RFC 8484: DNS Queries over HTTPS (DoH), IETF, October 2018.