UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

SPF Record Checker

Look up and parse a domain's SPF DNS record. Validates mechanisms, counts DNS lookups against the RFC 7208 ten-lookup limit, and flags soft/hard fail qualifiers.

About SPF Record Checker

The SPF Record Checker queries the TXT records at a domain's apex and isolates the one that begins with v=spf1, then walks every mechanism in order. Each lookup-bearing mechanism (include, a, mx, exists, ptr, redirect) counts toward the RFC 7208 ten-DNS-lookup ceiling, and senders that exceed it trigger a permerror at strict receivers (Google, Outlook, Proofpoint), which can quietly reject all of your mail. The tool surfaces the running lookup count, breaks down each mechanism with its qualifier (+, -, ~, ?), and detects the common failure of publishing more than one v=spf1 record — also a permerror. Use it when onboarding a new ESP, debugging deliverability complaints, or verifying a vendor's recommended include: chain fits inside your budget. The query runs once from our backend against public DNS; nothing about the domain is forwarded to a third party.

Why use SPF Record Checker

  • Counts lookup-bearing mechanisms in real time so you stay under the RFC 7208 limit of 10.
  • Flags multiple SPF records on the same domain — a silent permerror that rejects all mail.
  • Highlights the qualifier on each mechanism so soft-fail (~all) versus hard-fail (-all) is obvious.
  • Shows the entire record verbatim so you can copy it into your DNS provider for review.
  • Runs a single TXT query — no zone transfer, no scraping, no third-party telemetry.
  • Pairs with our SPF Record Generator and DMARC Record Checker for a full email-auth audit.

How to use SPF Record Checker

  1. Enter the apex domain in the input — for example, example.com (no http:// or trailing slash).
  2. Click Check SPF to run a single TXT lookup against public DNS.
  3. Review the raw record text, then scan the per-mechanism table for the qualifier column.
  4. Compare the DNS lookups counter against the 10-lookup ceiling — green is safe, orange is approaching, red is over.
  5. Watch for the multiple-records error and consolidate any extra v=spf1 entries into one TXT record.
  6. Open the DMARC Record Checker tool to confirm SPF alignment is enforced via your domain policy.

When to use SPF Record Checker

  • After adding a new email service provider that publishes its own include: chain.
  • When recipients report your mail landing in spam or being rejected with a 5.7.x SPF error.
  • Before tightening the DMARC policy from p=none to p=quarantine or p=reject.
  • While auditing a vendor's recommended SPF include for hidden lookup overhead.
  • After a corporate acquisition that consolidates multiple sending domains into one apex.
  • On any new domain you control to confirm a baseline SPF record exists and is well-formed.

Examples

Google Workspace tenant

Input: example.com

Output: v=spf1 include:_spf.google.com ~all → 1 lookup, 9 remaining, soft fail

Multi-provider sender at the lookup limit

Input: shop.example.com

Output: v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org include:servers.mcsv.net include:spf.protection.outlook.com -all → 5 lookups (some include trees expand further)

Domain with no SPF

Input: no-mail.example

Output: No SPF record found — strict receivers may flag this domain as spam.

Tips

  • Stay below 8 lookups when possible — the buffer protects you from a vendor adding nested includes.
  • Use the -all hard fail qualifier for production domains; reserve ~all for monitoring during rollout.
  • Keep one and only one v=spf1 record on any DNS name — multiple records are a permerror in RFC 7208.
  • If you have to flatten an include: chain to fit the 10-lookup budget, automate the flatten so renewals stay current.
  • The ip4: and ip6: mechanisms do not consume any of the 10-lookup budget — prefer them for static senders.

Frequently Asked Questions

Is the queried domain forwarded to any third party?
No. The lookup runs from the UtilityKit backend directly against public DNS resolvers. Nothing is sent to a third-party SaaS, and no PII is collected.
How is this different from running dig TXT example.com on the command line?
Both pull the same TXT record from public DNS. The difference is that this tool isolates the v=spf1 record, parses every mechanism, runs the RFC 7208 lookup count for you, and explains the qualifier semantics. Useful when you don't want to eyeball a long include: chain by hand.
How does this compare to mxtoolbox?
It returns the same kind of result for free, with no signup, no rate limits past abuse protection, and a simpler UI. We don't recursively expand every include: into a tree (yet) — for that, fall back to a paid tool.
What does soft fail (~all) mean versus hard fail (-all)?
Soft fail tells receivers that mail from non-listed senders is suspicious but should still be accepted. Hard fail instructs receivers to reject it outright. Use ~all during rollout, -all for production once you trust the record.
Why does my SPF record show a permerror?
The most common causes are exceeding 10 lookup-bearing mechanisms or publishing two separate v=spf1 records on the same domain. Both are permerror under RFC 7208 and many strict receivers reject mail on permerror.
Can this detect a misconfigured include: chain?
It detects the lookup-count overflow that comes from a deeply nested chain. It does not yet expand each include: into its own tree of mechanisms — paste the include: target into the same tool to inspect it manually.
Why is +all dangerous?
It tells receivers that every sender on the public internet is authorized to send mail for your domain. It is functionally equivalent to having no SPF record and is exploited by spammers.
Does an SPF record by itself stop spoofing?
No. SPF authenticates the envelope-from. Spoofers commonly forge the visible From: header, which is the domain DMARC checks. Pair SPF with DKIM and DMARC for end-to-end protection.

Explore the category

DMARC Record Checker Look up the DMARC TXT record at _dmarc.<domain>, parse every tag (p, sp, pct, rua, ruf, adkim, aspf), and flag missing aggregate report addresses or partial enforcement. DKIM Record Checker Fetch a DKIM TXT record at <selector>._domainkey.<domain>, parse the public key tags, infer key length, and warn about short keys, revoked keys, or testing flags. SPF Record Generator Compose an SPF TXT record from email-provider presets, custom includes, and IP allow-lists — with a live DNS lookup counter against the RFC 7208 ten-lookup limit. MX Record Lookup Look up the Mail Exchange (MX) records for any domain to see which mail servers handle its incoming email. DNS Propagation Checker Check DNS propagation across multiple global nameservers to see how widely a recent DNS change has spread. WHOIS Domain Lookup Look up WHOIS registration data for any domain — registrar, creation date, expiry, name servers, and contact details.
JSON Schema Explained: Validate Your APIs Like a Pro JSON Schema gives you contract-driven validation for any JSON payload. We walk through the spec, the keywords that matter, and how it powers May 2026 · 9 min Content Security Policy (CSP): What It Stops, What It Doesn't CSP is the most powerful XSS defense most sites either don't use or deploy wrong. Here's what it actually stops, what it doesn't, and how to May 2026 · 11 min

Glossary

SPF
Sender Policy Framework — RFC 7208 — a TXT-based mechanism that lists which IPs and hostnames are authorized to send mail on behalf of a domain.
Permerror
A permanent SPF evaluation error, including more than 10 lookups, multiple v=spf1 records, or syntactically invalid mechanisms. Strict receivers reject mail outright on permerror.
Soft fail (~all)
Marks mail from non-listed senders as suspicious without explicit rejection — lets receivers downgrade rather than discard.
Hard fail (-all)
Instructs receivers to reject mail from any sender not explicitly listed by an SPF mechanism.
Include mechanism
Pulls another domain's SPF record into yours and counts as one DNS lookup against the RFC 7208 ten-lookup budget.
MX record
DNS record that identifies the mail server for a domain. The SPF mx mechanism references it; pair this checker with our MX Record Lookup.