SPF record checker.
Enter your domain. We look up the TXT record at the apex, find the one starting with v=spf1, and show the raw value plus a plain-English read of the qualifier and includes.
One record, three jobs.
SPF lists the IP addresses and providers allowed to send mail for your domain. It pairs with DKIM (which signs the message) and DMARC (which tells receivers what to do when SPF or DKIM fails).
Lists your senders
Every include:, a, mx and ip4: mechanism is a sender you trust. If a server is not covered by any of them, the SPF check fails.
Sets the verdict
The final qualifier — -all, ~all, ?all — tells receivers how strict to be when the sender is not on the list. -all is the only one that actually rejects spoofed mail.
Counts against a budget
SPF evaluation is capped at 10 DNS lookups. Stacked include: chains eat the budget fast. Going over the limit is treated as a permanent error and usually fails DMARC.
Works with DMARC
SPF alone tells receivers what is authorised. DMARC tells them what to do when it fails. Without DMARC, most receivers silently drop a failing message into spam at best.
SPF is one of about thirty external checks.
AttackEdge Monitoring re-runs SPF, DKIM, DMARC, MTA-STS, TLS, security headers and the rest on a recurring schedule. Plain-English findings, IT-ready fixes, monthly PDF.
Setup in 60 seconds · Cancel anytime
SPF, in plain English.
- SPF (Sender Policy Framework) is a TXT record at the apex of your domain that lists which mail servers are allowed to send email claiming to be from you. Receiving servers use it to filter spoofed mail.