Free SPF Record Checker
Validate any domain's SPF record, count its DNS lookups against the RFC 7208 limit, and expand every include: chain. Instant results, no signup.
A real SPF analysis — not just a syntax check
Most online SPF checkers stop at "your record has the right format". DNSMonit's checker walks the entire evaluation tree, counts every DNS lookup the way a receiving mail server actually does, and surfaces the exact reason your record will fail.
Live DNS lookup counter
Counts every include:, a:, mx:, redirect, exists: and ptr lookup — including everything inside your includes — against the RFC 7208 §4.6.4 limit of 10.
Recursive include tree
See the full nested expansion of every include:, with cycle detection. Find out which vendor is responsible for blowing your lookup budget.
Spot every silent failure
Detects multiple SPF records (auto-permerror), deprecated ptr, +all openings, missing all qualifier, broken includes, and lookup-budget overruns.
SPF mechanism cheat sheet
SPF is a small language. Knowing which mechanism costs a lookup and which doesn't is the difference between a clean record and a permerror.
| Mechanism | Counts as a lookup? | What it does |
|---|---|---|
| include: | Yes — and any lookups inside | Authorize the senders listed in another domain's SPF record. |
| redirect= | Yes | Replace the current record with another domain's record entirely. |
| a / a:domain | Yes | Authorize the A/AAAA records of the named domain. |
| mx / mx:domain | Yes | Authorize the MX records of the named domain. |
| exists: | Yes | Conditional macro lookup, rarely used outside large senders. |
| ptr | Yes — and deprecated | RFC 7208 §5.5 says don't use it. Remove on sight. |
| ip4: / ip6: | No | Authorize a literal IP address or CIDR range — zero DNS cost. |
| all (-all / ~all / ?all / +all) | No | Final policy: -all rejects, ~all softfails, +all permits any sender (never use). |
SPF errors this checker catches
If your record has any of the issues below, mail receivers will treat your SPF as broken — which usually means worse deliverability for everything you send.
Too many DNS lookups
More than 10 lookups (counting every nested include) returns a permerror — receivers behave as if SPF didn't exist. Adding one more vendor often pushes a record over the line.
Multiple SPF records
Two records on the same name are an instant permerror. Most often happens when a vendor adds its own SPF without merging with yours.
+all qualifier
A record ending in +all authorizes every sender on the internet. There is no legitimate reason to publish this.
Missing all qualifier
If the record doesn't end in some form of all, the default policy is undefined — different receivers apply different defaults, results are unpredictable.
Deprecated ptr mechanism
Slow, fragile, and explicitly deprecated by RFC 7208 §5.5. Many large receivers ignore it entirely.
Broken include target
An include: pointing at a domain with no SPF record returns a permerror. We flag every dead include in the tree.
SPF Checker — Frequently Asked Questions
What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are authorized to send email for your domain. Receiving mail servers query this record to verify whether an incoming email's origin is legitimate before delivering it.
How does this SPF checker work?
Paste any domain and we query its TXT records, parse the SPF policy, expand every include: and redirect= target recursively, count all DNS lookups against the RFC 7208 limit of 10, and flag deprecated mechanisms like ptr or risky qualifiers like +all.
What is the SPF 10 DNS lookup limit?
RFC 7208 §4.6.4 limits an SPF evaluation to 10 DNS lookups. Each include:, a:, mx:, redirect, exists: and ptr mechanism counts as one lookup. If your record exceeds 10 (including nested lookups inside your includes), receivers return a permerror and SPF effectively fails.
What is the difference between -all and ~all?
Hard fail (-all) instructs receivers to reject mail from unauthorized servers. Soft fail (~all) marks them as suspicious but still delivers them. Use -all once you've confirmed all legitimate senders are in your record.
Can I have multiple SPF records?
No — RFC 7208 requires exactly one SPF TXT record per domain. Multiple records cause a permerror and SPF fails entirely. Combine senders into a single record using include: mechanisms.
How do I fix 'too many DNS lookups'?
Either remove unused include: targets, or flatten your SPF by replacing include: mechanisms with the underlying ip4:/ip6: ranges (note: this needs maintenance as providers change IPs). DNSMonit's monitoring alerts you when your lookup count grows after a vendor adds an include.
Do I need SPF if I have DMARC?
Yes. DMARC enforces alignment between the From address and either SPF or DKIM. Without SPF (or DKIM) a domain cannot get DMARC pass, so deliverability suffers and impersonation is easier.
What is a 'permerror' or 'temperror' in SPF?
permerror means your SPF record is invalid or evaluates with more than 10 DNS lookups — receivers treat it as if SPF did not exist. temperror is a transient DNS failure during evaluation; receivers may retry or treat it as a soft fail.
Need to track only the lookup count?
Use the dedicated SPF Lookup Counter →Stop checking SPF by hand
SPF breaks when a vendor adds a new include or a record gets edited by mistake. DNSMonit re-checks your record continuously and emails you the second your lookup count or policy drifts.