Look up the SPF (Sender Policy Framework) record for a domain and verify mail send authorization
• Domain: enter a bare domain without https:// (e.g. example.com)
• SPF records define which servers are authorized to send email on behalf of this domain
• A correctly configured SPF record reduces the chance of email being marked as spam
An SPF (Sender Policy Framework) record lookup queries the TXT records of a domain and parses the SPF policy, returning the full record, the list of authorized sending mechanisms (IP ranges, includes, and directives), and the final catch-all qualifier. It also checks whether the SPF record has any security issues such as a permissive '+all', a missing 'all' qualifier, or more than 10 DNS lookups.
Common uses include verifying that all legitimate sending services (transactional email, CRM, mailing lists) are included in the SPF record, diagnosing delivery failures caused by SPF rejection, and auditing SPF configuration as part of an email security review alongside DKIM and DMARC.
'+all' authorizes any server on the Internet to send mail as your domain — it effectively disables SPF protection. Use '-all' (hard fail) to reject unauthorized senders, or '~all' (soft fail) to mark them.
RFC 7208 limits SPF evaluation to 10 DNS lookups. Records that exceed this limit cause a 'PermError' which receiving servers may treat as a failure. Flatten nested includes or use IP4/IP6 mechanisms to stay under the limit.
Check that the sending IP is covered by the SPF mechanisms, that the record uses '-all' or '~all' at the end, and that the 'envelope from' domain matches the domain where SPF is published. Also verify DKIM and DMARC to complete the email authentication stack.
No. SPF is checked on the envelope sender domain, which is often a subdomain (e.g. mail.example.com). Each sending subdomain needs its own SPF record unless you use a wildcard, which is generally not recommended.