SPF Record Checker
Look up any domain's SPF record, parse its mechanisms, and get instant warnings on the configuration mistakes that send your cold email straight to spam.
What is SPF and why does it matter in 2026?
SPF (Sender Policy Framework) is a DNS TXT record that tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. Without it, anyone can spoof your domain and Gmail, Outlook, and Yahoo will quietly route your real cold email to spam or block it entirely.
Since Google and Yahoo's February 2024 bulk-sender rules took effect, SPF is no longer optional. Every domain sending more than 5,000 emails per day to Gmail addresses needs valid SPF, DKIM, and DMARC alignment. Failing any of the three gets you throttled. Failing two gets you blocked. This tool checks the SPF half of that equation.
How to read your SPF record
An SPF record always starts with v=spf1 and ends with a qualifier (-all, ~all, ?all, or +all). In between, you list mechanisms that authorize specific senders.
include: chains in another domain's SPF (used for Google Workspace, Microsoft 365, SendGrid, etc.). ip4: and ip6: hardcode specific IP ranges. The all qualifier tells receivers what to do with mail from anywhere else.
- -all (hard fail): mail from unauthorized IPs is rejected outright. Strictest, recommended for production.
- ~all (soft fail): mail is marked suspicious but still delivered. Good for staged rollouts.
- ?all (neutral): no policy enforcement. Useless for spoof protection.
- +all (pass): authorizes everything. Never use this; it neuters SPF entirely.
The 10-DNS-lookup limit (RFC 7208)
SPF has a brutal hidden constraint: receiving servers will not perform more than 10 nested DNS lookups when evaluating your record. Every include:, every redirect=, every a or mx mechanism counts toward the limit. If your record blows past 10, receivers return a PermError and your mail fails SPF regardless of how the record looks.
This is the single most common reason SPF breaks for fast-growing companies. You start with include:_spf.google.com (counts as 1), add SendGrid (2), Mailchimp (3), HubSpot (4), Intercom (5), and before you know it you are over the limit. Our checker counts your includes so you can flatten the record before it breaks.
What to do when SPF is missing or broken
If no record was found, publish a TXT record at the root of your domain (@) with this content: v=spf1 include:_spf.google.com ~all (substitute the include for your actual sending provider). Use ~all while you test, then tighten to -all once you have confirmed all your real senders are covered.
If you got a too-many-includes warning, flatten the record using a service like dmarcian or unspf, or migrate marginal senders to subdomains so their SPF lookup pressure does not affect your main domain. Re-check this tool after publishing changes; DNS typically propagates in 5 to 30 minutes.
Frequently asked questions
Is this SPF checker free?
+
Yes, the SPF checker is completely free with no rate limit, no signup, no credit card. Navigent runs it as part of the free deliverability suite at /tools.
How does the SPF checker work?
+
We perform a live DNS TXT lookup at the root of the domain you submit, parse any record starting with v=spf1, count includes and IP mechanisms, and flag common mistakes like missing all qualifiers or RFC 7208 lookup-limit risks.
What does -all mean in SPF?
+
-all is a hard fail qualifier. It tells receiving mail servers that any IP not listed in the SPF record is unauthorized and the message should be rejected outright. It is the strictest and recommended posture for production sending domains.
Can I have more than one SPF record?
+
No. RFC 7208 explicitly forbids multiple SPF records on the same domain. If you have two TXT records both starting with v=spf1, receivers return a PermError and your mail fails SPF. Merge them into one record.
How do I fix a too-many-includes SPF error?
+
You can flatten includes into raw IPs (lose readability), move senders to subdomains (each gets its own 10-lookup budget), or drop unused senders. Tools like dmarcian Flattener or unspf automate the flattening process.
How long does SPF take to propagate?
+
Most DNS providers propagate TXT record changes in 5 to 30 minutes. Some legacy registrars can take up to 24 hours. Use dig +trace TXT yourdomain.com or this checker to confirm your new record is live before sending production mail.
Does SPF alone protect my domain from spoofing?
+
No. SPF protects the return-path (envelope sender) but not the visible From header. You need DMARC (which combines SPF and DKIM with alignment) to fully prevent display-name spoofing in inboxes. Pair this checker with our DMARC generator and DKIM lookup.
Why does my SPF pass in this tool but mail still goes to spam?
+
Deliverability is multi-factor. SPF is necessary but not sufficient. Check DKIM, DMARC alignment, sender reputation, list quality, content (spam triggers), authentication of your sending IP, and your warm-up status. SPF passing is the floor, not the ceiling.
Stop guessing, start shipping.
Navigent runs deliverability, lead-data, and multichannel outreach in one workspace. Start free, no credit card.