SPF Record Checker
Paste a domain. We'll fetch the SPF TXT record, recursively count every DNS lookup it triggers, and flag the issues that break authentication in practice.
What this SPF record checker does
This SPF record checker fetches the v=spf1 TXT record published on a domain and follows every mechanism it references. It counts the DNS lookups the record triggers, expanding each include:, redirect=, a, and mx the same way a receiving mail server would.
Why it matters
SPF tells receivers which servers are allowed to send mail for your domain. RFC 7208 caps the record at 10 DNS lookups. Cross that line and a receiver returns a PermError, which most treat as "SPF did not pass." Mail that should authenticate cleanly starts landing in spam or getting rejected, and the failure is silent until you read your DMARC reports. Checking the lookup count is how you catch that before it costs you deliverability.
How to read the result
The headline is the DNS lookup count. Under 10 is healthy. At 8 or 9 you are one new sender away from breaking, so plan ahead. Over 10 means receivers may already be returning PermError. The published record below the verdict is the raw TXT string, and the findings list explains each mechanism and any issue worth acting on.
Related
- How SPF works, the protocol primer behind this check.
- SPF vs DKIM vs DMARC, how SPF fits alongside DKIM and DMARC.
- SPF Flattener to fix a record that is over the 10-lookup limit, then SPF Record Generator to build one from scratch.
- Scan your domain to get your exact records plus guided setup, with SPF checked alongside DMARC, DKIM, and lookalike domains in one pass.
Frequently asked questions
How do I check an SPF record?▾
Enter your domain above and this checker fetches the v=spf1 TXT record, recursively expands every include, redirect, a, and mx the way a receiver does, and counts the DNS lookups. Or query it directly: dig TXT yourdomain.com +short.
What is the SPF 10 DNS lookup limit?▾
RFC 7208 caps SPF evaluation at 10 DNS lookups. Each include, redirect, a, mx, ptr, and exists mechanism counts, and nested includes count too. Cross 10 and receivers return a PermError, which most treat as an SPF failure, so legitimate mail can start landing in spam.
How do I fix too many SPF lookups (PermError)?▾
Flatten the record: resolve the includes that pull in the most lookups down to raw IP ranges with the SPF flattener, remove senders you no longer use, and avoid the ptr mechanism. Re-run this checker afterward to confirm you are back under 10.
Do I still need SPF if I have DKIM and DMARC?▾
Yes. SPF is one of the two authentication paths DMARC checks. SPF breaks on forwarding while DKIM survives it, so publishing both gives mail two ways to align and pass DMARC.
Want ongoing monitoring?
This tool is a one-shot check. PhishFence watches your domain with automated hourly monitoring (daily on Free) for DMARC changes, new lookalike registrations, and spoofing attempts.