ZonoTools
Home/Developer/SPF Checker

SPF Checker

Domain for SPF (TXT at apex)

DNS lookups send the domain (or DKIM/DMARC host name) to this site's DNS API. Format checks for headers run locally in your browser.

How to use

  1. Enter the sending domain (apex / organizational domain where mail is sent from).
  2. Click Check SPF. TXT records are fetched only when you run the check.
  3. Read the published record, mechanism list, estimated DNS lookup count, and warnings (e.g. missing -all, over 10 lookups).

FAQ

Where is SPF published?

SPF is a TXT record at the root of the domain (apex), starting with v=spf1. It is not published on _dmarc or _domainkey hosts.

Does this send test email?

No. It only reads and analyzes the public DNS TXT record after you click Check SPF.

What is the 10 DNS lookup limit?

Receivers may fail SPF if resolving your record requires more than 10 DNS lookups (include, a, mx, ptr, exists, redirect each contribute).

Why are there multiple SPF records a problem?

The SPF spec allows only one record per domain. Multiple v=spf1 TXT strings cause PermError at receivers.

Does SPF alone stop spoofing?

SPF validates envelope sender alignment. Pair with DKIM and DMARC for stronger protection and reporting.

Introduction

An SPF checker reads your domainโ€™s Sender Policy Framework TXT record โ€” the list of hosts and mechanisms allowed to send mail claiming your domain. Misconfigured SPF is a top cause of spf=fail in Authentication-Results and sudden deliverability drops after adding a new ESP.

This tool fetches and analyzes SPF when you click Check SPF, so DNS is not queried on every keystroke.

What is SPF and what does this tool check?

SPF is a DNS TXT record (starts with v=spf1) that mail receivers use during SMTP. The checker:

  • Fetches TXT at the apex domain you enter
  • Selects the v=spf1 record and shows the full string
  • Lists mechanisms (include:, ip4:, mx, a, all, etc.)
  • Estimates DNS lookup count (warns above 8, errors above 10)
  • Flags missing or weak all (+all is overly permissive; -all or ~all is typical)
  • Warns if multiple SPF records appear in TXT

It does not send email or simulate receiver alignment โ€” only DNS publication and syntax hygiene.

Key Features

  • Apex domain input (accepts user@domain.com and extracts the host).
  • Button-triggered TXT lookup.
  • Mechanism breakdown and lookup budget estimate.
  • Copy-friendly raw SPF TXT display.
  • Empty input on load; use Sample for well-known domains.

Common Use Cases

  • Auditing SPF before onboarding SendGrid, Amazon SES, Mailgun, or Google/Microsoft relay.
  • Debugging spf=fail after adding include: for a new vendor.
  • Documenting the current record before a DNS change ticket.
  • Complementing DMARC Checker and DKIM Checker in an authentication review.

Best Practices

  • Publish one SPF TXT per domain; merge includes instead of stacking records.
  • End with -all (reject others) or ~all (softfail) for production senders โ€” avoid +all.
  • Keep DNS lookups under 10; flatten include: chains where possible.
  • SPF validates the envelope/from SMTP path; align with DKIM on the From: domain and enforce policy via DMARC.
  • After changes, allow DNS TTL/propagation time before re-testing.

Related Tools

Disposable Email CheckerDKIM CheckerDMARC CheckerEmail ValidatorMX LookupEmail Header Analyzer
Explore all Developer Tools