Tools / SPF Check
SPF Check
Find out if your domain's email setup is letting impersonators through.
What does all this mean?
This tool checks whether your domain has a valid SPF (Sender Policy Framework) record, who is authorized to send email on its behalf, and whether the policy is strong enough to protect against impersonation.
What is SPF, in one minute?
SPF is a TXT record on your domain that lists which servers are allowed to send email claiming to be from you. Inbox providers (Gmail, Microsoft, etc.) check it when your email arrives. If a sender is not on your SPF list, the receiver knows it might be fraud.
Without SPF, anyone can send email pretending to be from your domain. Your legitimate email may also be flagged as suspicious by spam filters.
Glossary: what each part means
v=spf1 - version marker, always present at the start.
include:domain - pulls in another organization’s SPF record. Used when you send through Google Workspace, Microsoft 365, Mailgun, etc.
ip4:x.x.x.x - a specific IPv4 address authorized to send.
a, mx - authorizes the IPs in your A or MX records.
-all - hard fail: reject anything not listed. Strongest.
~all - soft fail: flag but don’t reject. Common during rollout.
?all - neutral: no protection. Avoid.
+all - pass all: anyone can send. Misconfiguration.
Why the 10 DNS lookups limit matters
When inbox providers evaluate SPF, they follow each include and other lookup-causing mechanism. RFC 7208 caps this at 10 lookups total. Going over means SPF fails permanently for your domain - even for your legitimate senders.
Domains that use many third-party email tools (CRM, marketing, transactional, helpdesk) often hit this limit. Solutions: consolidate vendors, or use “SPF flattening” services.
Related reading: Why your business email lands in spam.