Star Computers

SPF Lookup

Find and parse the SPF (Sender Policy Framework) record for a domain. Explains each mechanism and flags common misconfigurations like +all or over-10 DNS lookups.

DNS Security Networking

Look up and parse SPF

Fetches the domain's TXT records, finds the v=spf1 record, and explains each mechanism.

About SPF

Sender Policy Framework is a DNS TXT record that lists the hosts allowed to send mail on behalf of a domain. It’s one of three interlocking standards — SPF, DKIM, and DMARC — that together determine whether a receiving mail server trusts a message.

An SPF record looks like:

v=spf1 ip4:192.0.2.0/24 include:_spf.google.com ~all
  • v=spf1 — required marker.
  • Mechanisms (ip4, ip6, a, mx, include, exists, ptr) — describe who is authorized.
  • Qualifiers (+, -, ~, ?) — what to do on match: pass, fail, softfail, or neutral.
  • all — the catch-all at the end. -all rejects; ~all softfails; ?all defers; +all authorizes everyone (dangerous and usually a mistake).

Things this tool flags

  • No SPF record. Receivers have no way to verify your sending hosts — spoofed mail is likely to be delivered.
  • Multiple SPF records. RFC 7208 requires exactly one. Multiple records cause permerror at receiving servers and mail will fail authentication.
  • More than 10 DNS-affecting mechanisms. SPF has a strict 10-lookup limit. Going over it causes permerror — every include: counts, including nested ones.
  • +all. Authorizes everyone on the internet to send mail as your domain. Almost always a misconfiguration.
  • No all token. Undefined fallback — most receivers treat it as neutral.

Privacy

The lookup runs in your browser against Google Public DNS over HTTPS. We don’t proxy, log, or store the query.