SPF Record Checker

Analyze and validate SPF records for any domain with comprehensive insights and recommendations

SPF Record Overview

Domain

example.com Valid

SPF Record

Found Valid

Record Value

v=spf1 include:_spf.example.com ~all

Health Score

85%

Record Summary

SPF Policy

Your SPF record uses a soft fail (~all) policy which marks non-matching senders as suspicious but still accepts them.

Authorized Servers

Your SPF record authorizes approximately 28 IP addresses and 3 domains to send email on your behalf.

Record Complexity

Your SPF record has a simple structure with 2 include mechanisms and no nested includes.

Performance Metrics

DNS Lookups

3 lookups Limit: 10

Record Length

52 characters Limit: 255

Response Time

Average: 78ms Max: 126ms

SPF Record Components

Your SPF record contains the following components. Each component determines which servers are authorized to send email for your domain.

v=spf1 Version

SPF version 1 identifier that must be at the beginning of the record.

Valid

include:_spf.google.com Include

Includes all IP addresses authorized by Google’s SPF record.

Valid

Included Record:

v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all

DNS Lookups: 1 (direct) + 3 (nested) = 4 total

Authorized IPs: Approximately 20+ IP ranges

ip4:192.168.1.1 IPv4

Specifically authorizes the IP address 192.168.1.1 to send email.

Valid

mx MX

Authorizes all mail servers listed in the domain’s MX records.

Valid

~all All (SoftFail)

Specifies that servers not previously authorized should be treated as suspicious but not rejected outright.

Recommend -all

SPF Record Structure

This visual representation shows how your SPF record is structured and processed.

v=spf1 Start of SPF record
- include:_spf.google.com Google Services
  - include:_netblocks.google.com
    - ip4:64.233.160.0/19
    - ip4:66.249.80.0/20
  - include:_netblocks2.google.com
  - include:_netblocks3.google.com
- ip4:192.168.1.1 Your server
- mx Your mail servers
  - aspmx.l.google.com
  - alt1.aspmx.l.google.com
- ~all Soft-fail for all other servers

Processing Flow

When a receiving mail server gets an email claiming to be from your domain, it processes your SPF record in this order:

Check Google SPF

First, the server checks if the sending server is listed in Google’s SPF record

Check Specific IP

If not found, it checks if the sending IP matches 192.168.1.1

Check MX Records

If not found, it checks if the sending server is one of your MX mail servers

Apply ~all Policy

If the sending server isn’t in any of the above, mark the email as suspicious (soft fail)

Issues & Recommendations

Using Soft Fail (~all) Instead of Hard Fail (-all)

Your record uses ~all which only marks unauthorized senders as suspicious. For better security, consider using -all to explicitly reject unauthorized senders.

Recommended Fix:

Change ~all to -all in your SPF record

Good DNS Lookup Count

Your SPF record requires 8 DNS lookups, which is below the recommended maximum of 10 lookups.

Consider Adding SPF Alignment with DMARC

While your SPF record is valid, we recommend implementing DMARC in conjunction with SPF for enhanced security and deliverability.

Recommended Addition:

Add a DMARC record with "v=DMARC1; p=none; rua=mailto:[email protected]"

Private IP Address Detected

Your SPF record includes the private IP address 192.168.1.1, which is not reachable from the internet and serves no purpose in an SPF record.

Recommended Fix:

Remove "ip4:192.168.1.1" from your SPF record

Optimized SPF Record

Based on our analysis, here’s an optimized SPF record for your domain:

v=spf1 include:_spf.google.com mx -all

This optimized record removes the private IP and strengthens your policy by using -all.

DNS Lookups

This section shows all the DNS lookups performed to validate your SPF record.

Query Type	Domain	Result	Time
TXT	example.com	v=spf1 include:_spf.google.com ip4:192.168.1.1 mx ~all	28ms
TXT	_spf.google.com	v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all	42ms
TXT	_netblocks.google.com	v=spf1 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all	36ms
TXT	_netblocks2.google.com	v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all	46ms
TXT	_netblocks3.google.com	v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all	39ms
MX	example.com	aspmx.l.google.com (1), alt1.aspmx.l.google.com (5), alt2.aspmx.l.google.com (5)	33ms
A	aspmx.l.google.com	74.125.142.26, 74.125.142.27	44ms

DNS Lookups Summary

Total DNS Lookups: 8
TXT Record Lookups: 5
MX Record Lookups: 1
A/AAAA Record Lookups: 2
Average Lookup Time: 38.5ms

Raw DNS Data

This section shows the raw DNS data retrieved during the SPF check.

TXT Records

$ dig example.com TXT +short
"v=spf1 include:_spf.google.com ip4:192.168.1.1 mx ~all"
"google-site-verification=A1B2C3D4E5F6G7H8I9J0"
"MS=ms92835928"

MX Records

$ dig example.com MX +short
1 aspmx.l.google.com.
5 alt1.aspmx.l.google.com.
5 alt2.aspmx.l.google.com.

Included SPF Records

$ dig _spf.google.com TXT +short
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

$ dig _netblocks.google.com TXT +short
"v=spf1 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"

$ dig _netblocks2.google.com TXT +short
"v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

$ dig _netblocks3.google.com TXT +short
"v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

Parsed SPF Record

{
  "version": "spf1",
  "mechanisms": [
    {
      "type": "include",
      "value": "_spf.google.com",
      "qualifier": "+"
    },
    {
      "type": "ip4",
      "value": "192.168.1.1",
      "qualifier": "+"
    },
    {
      "type": "mx",
      "value": null,
      "qualifier": "+"
    },
    {
      "type": "all",
      "value": null,
      "qualifier": "~"
    }
  ],
  "valid": true,
  "lookups": 8,
  "ip_count": 37
}

Understanding SPF Records

Learn how SPF records help protect your domain from email spoofing and improve deliverability

What is an SPF Record?

A Sender Policy Framework (SPF) record is a DNS TXT record that specifies which mail servers are allowed to send email on behalf of your domain. It helps prevent email spoofing and protects your domain’s reputation by providing a way for receiving mail servers to verify if the sending server is authorized.

Why SPF Records are Important

Prevent Email Spoofing: Stop unauthorized servers from sending email as your domain
Improve Email Deliverability: Emails from authorized servers are less likely to be marked as spam
Protect Domain Reputation: Prevent your domain from being blacklisted due to spoofed emails
DMARC Compliance: SPF is a key component for implementing DMARC email authentication

How SPF Works

When a receiving mail server gets an email claiming to be from your domain, it:

Checks the sending server’s IP address
Looks up your domain’s SPF record in DNS
Verifies if the sending IP is listed in your SPF record
Handles the email according to your SPF policy (pass, soft fail, hard fail)

SPF Record Mechanisms

v=spf1: Specifies SPF version 1
a: Authorizes the A record (IPv4 addresses) of your domain
mx: Authorizes all the mail servers listed in your MX records
ip4:: Specifies authorized IPv4 addresses or ranges
ip6:: Specifies authorized IPv6 addresses or ranges
include:: Includes another domain’s SPF record
~all: Soft fail – unauthorized servers are treated as suspicious
-all: Hard fail – unauthorized servers are rejected

Best Practices for SPF Records

Use -all instead of ~all for stricter security
Keep DNS lookups under 10 to prevent lookup limit errors
Include all legitimate email sources (website, marketing tools, etc.)
Regularly review and update your SPF record
Use SPF in conjunction with DKIM and DMARC for comprehensive protection
Remove unnecessary or redundant mechanisms

Common SPF Problems

Too Many DNS Lookups: More than 10 DNS lookups will cause SPF to fail
Missing Authorized Senders: Some legitimate email sources aren’t included
Incorrect Syntax: Typos or formatting errors in the SPF record
Multiple SPF Records: Only one SPF record should exist per domain
Overly Permissive Policy: Using ?all or +all allows anyone to send

This SPF Record Checker analyzes your domain’s SPF records to help improve email deliverability and security.

SPF Record Checker

Analyzing SPF Records

SPF Record Overview

Domain

SPF Record

Record Value

Health Score

Record Summary

SPF Policy

Authorized Servers

Record Complexity

Performance Metrics

DNS Lookups

Record Length

Response Time

SPF Record Components

Included Record:

Found MX Records:

SPF Record Structure

Processing Flow

Check Google SPF

Check Specific IP

Check MX Records

Apply ~all Policy

Issues & Recommendations

Using Soft Fail (~all) Instead of Hard Fail (-all)

Recommended Fix:

Good DNS Lookup Count

Consider Adding SPF Alignment with DMARC

Recommended Addition:

Private IP Address Detected

Recommended Fix:

Optimized SPF Record

DNS Lookups

DNS Lookups Summary

Raw DNS Data

TXT Records

MX Records

Included SPF Records

Parsed SPF Record

Understanding SPF Records

What is an SPF Record?

Why SPF Records are Important

How SPF Works

SPF Record Mechanisms

Best Practices for SPF Records

Common SPF Problems