SPF Record Checker

Q: What is the difference between -all and ~all in SPF?

-all (hard fail) instructs receiving servers to reject email from any IP not listed in your SPF record. ~all (soft fail) marks non-listed senders as suspicious but still delivers the email (usually to spam). During initial SPF setup, ~all is safer — it won't accidentally block legitimate emails while you verify all sending sources are listed. Once you're confident in your SPF configuration, switch to -all for stronger protection against spoofing. +all allows all senders and should never be used as it defeats SPF entirely.

Check SPF DNS records for any domain online. Verify TXT record syntax, inspect allowed sending sources, and troubleshoot email delivery failures using live DNS-over-HTTPS queries directly from your browser.

Why Check SPF Records

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. Misconfigured SPF records cause legitimate emails to land in spam or get rejected outright. When a client reports that your emails aren't being delivered, or when setting up a new email service (Mailchimp, SendGrid, Postmark, Google Workspace), verifying the SPF record is the essential first troubleshooting step. This tool retrieves the live SPF TXT record so you can inspect it without CLI tools or terminal access.

Live SPF lookup: Queries the actual TXT record via DNS-over-HTTPS — bypasses local cache
Full record display: Shows the complete v=spf1 record with all mechanisms
TTL visibility: See how long current SPF record is cached by resolvers
Multi-resolver check: Compare SPF record across multiple public resolvers
No install needed: Works in any browser without dig, nslookup, or CLI

Check SPF Record →

Choose the Right Variant

This page: SPF records — verify sender authorization and email delivery config
DMARC Checker: DMARC policy, reporting addresses, and alignment
TXT Record Lookup: All TXT records including DKIM, SPF, and domain verification
MX Record Lookup: Mail exchanger records for inbound email routing
DNS Record Lookup: Look up any DNS record type

Step-by-Step Tutorial

Enter the sending domain — e.g. example.com (the domain in your From: address)
Select TXT as the record type (SPF records are stored as TXT records)
Click Lookup — look for a record starting with v=spf1
Review the mechanisms: include: for third-party senders, ip4: for IP ranges, a for the domain's A record
Check the ending qualifier: -all (fail), ~all (softfail), or ?all (neutral)
If the record is missing, emails from that domain have no SPF policy and may be flagged as spam

SPF Mechanisms Reference

v=spf1: Required prefix — identifies the record as SPF version 1
include:domain: Authorize all IPs listed in that domain's SPF record
ip4:x.x.x.x/cidr: Authorize a specific IPv4 address or range
ip6::/cidr: Authorize a specific IPv6 address or range
a: Authorize the IP address(es) in the domain's A record
mx: Authorize the IP addresses of the domain's MX servers
-all: Hard fail — reject mail from any source not listed above
~all: Soft fail — mark as suspicious but don't reject (more lenient, common for initial setup)

Privacy and Data Handling

DNS lookups are made from your browser via DNS-over-HTTPS. Domain names you look up are not logged or stored. Results are displayed directly and no data is retained after your session ends.

Frequently Asked Questions

Why is my email going to spam even with a valid SPF record?

SPF alone is not enough to ensure inbox delivery. Modern spam filters use multiple signals. Check: (1) DMARC policy — SPF must align with the From: domain, not just pass. (2) DKIM signature — email should be signed with a DKIM key published in your DNS. (3) Domain reputation — new domains or domains with sending history issues rank poorly. (4) Content signals — spammy subject lines, excessive links, or missing plain-text versions lower inbox placement. SPF, DKIM, and DMARC together form the email authentication trifecta required for reliable delivery.

What is the SPF 10-lookup limit?

SPF evaluation is limited to 10 DNS lookups per check (defined in RFC 7208). Each include:, a, mx, and redirect= mechanism counts as one lookup. If your SPF record has more than 10 lookups, receiving servers may return PermError and treat the check as failed, causing email rejection. This is a common problem when using multiple email services (Google Workspace + Mailchimp + Salesforce + Zendesk). Solutions: flatten nested includes, use an SPF flattening service, or consolidate sending through fewer providers.

What is the difference between -all and ~all in SPF?

-all (hard fail) instructs receiving servers to reject email from any IP not listed in your SPF record. ~all (soft fail) marks non-listed senders as suspicious but still delivers the email (usually to spam). During initial SPF setup, ~all is safer — it won't accidentally block legitimate emails while you verify all sending sources are listed. Once you're confident in your SPF configuration, switch to -all for stronger protection against spoofing. +all allows all senders and should never be used as it defeats SPF entirely.