SPF Lookup β Check Any Domain's Email Authentication Record
Learn how SPF records work, what the include, ip4, and all mechanisms mean, why the 10-lookup limit matters, and how to use a free SPF lookup tool to diagnose email authentication failures.
By sadiqbd Β· June 6, 2026
SPF is the record that says "these servers are allowed to send email for my domain"
When an email arrives claiming to be from user@example.com, the receiving mail server has no immediate way to know if it's legitimate or a spoofed phishing attempt. SPF (Sender Policy Framework) was created to solve this. It's a DNS TXT record that lists exactly which mail servers are authorised to send email on behalf of a domain.
An SPF lookup retrieves and parses this record, showing you what's authorised β and helping you diagnose why email might be failing authentication.
How SPF Works
The SPF mechanism:
- The domain owner publishes an SPF record in DNS as a TXT record at the root domain
- When an email arrives, the receiving server looks up the SPF record for the sender's domain
- It checks whether the sending mail server's IP is listed as authorised in the SPF record
- Based on the result, the email is treated as authenticated (pass), suspicious (fail/softfail), or neutral
The check is based on the envelope sender (MAIL FROM in the SMTP conversation) β not the From header that recipients see. This distinction matters for SPF alignment in DMARC.
SPF Record Format
An SPF record is a TXT record at the root domain:
example.com TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.1 ~all"
Mechanisms:
| Mechanism | Meaning |
|---|---|
ip4:x.x.x.x |
Authorise a specific IPv4 address |
ip4:x.x.x.x/24 |
Authorise an IPv4 CIDR range |
ip6: |
Authorise an IPv6 address or range |
include:domain |
Include another domain's SPF record (inherit their authorised IPs) |
a |
Authorise the domain's own A record IP |
mx |
Authorise the domain's MX record IPs |
all |
Applies to all other IPs (used with a qualifier) |
Qualifiers (before each mechanism):
| Qualifier | Meaning |
|---|---|
+ (default, often omitted) |
Pass β authorised |
- |
Fail β not authorised; reject |
~ |
Softfail β not authorised; accept but mark suspicious |
? |
Neutral β no policy |
~all vs -all:
~all(softfail) β emails from unlisted IPs are delivered but marked as suspicious. Gentler, reduces risk of blocking legitimate email from missed sources.-all(hardfail) β emails from unlisted IPs should be rejected outright. Stronger protection, but requires confidence that all legitimate senders are listed.
How to Use the SPF Lookup Tool on sadiqbd.com
- Enter the domain β the sending domain (e.g.
example.com) - Run the lookup β the tool retrieves the SPF TXT record
- Read the result β the full record is displayed with each mechanism explained
Reading Common SPF Records
Google Workspace
v=spf1 include:_spf.google.com ~all
All mail is sent through Google's infrastructure. The include:_spf.google.com reference expands to Google's current list of outgoing mail IPs.
Multiple sending services
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.org ip4:203.0.113.42 ~all
Email is sent through Google Workspace, SendGrid (transactional), Mailchimp (marketing), and a dedicated IP (e.g. for a legacy system).
Microsoft 365
v=spf1 include:spf.protection.outlook.com -all
All mail through Microsoft's servers; hard fail for anything else.
Real-World Examples
Email failing authentication
A new marketing platform sends email on behalf of your domain but recipients' spam filters reject it.
SPF lookup for your domain:
v=spf1 include:_spf.google.com ~all
The marketing platform's IP is not included. Add include:[platform-spf-domain] to your SPF record per the platform's documentation.
Verifying a third-party sender's setup
You've just added a transactional email service (e.g. SendGrid). Check that the SPF record includes their servers:
SPF lookup returns:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
sendgrid.net is included. β
Diagnosing SPF failure for a specific sending IP
An email sent from IP 198.51.100.25 is failing SPF for example.com. SPF lookup shows:
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com ~all
198.51.100.25 is not in the 203.0.113.0/24 range and not in Google's SPF. This IP isn't authorised. Either the record needs updating, or this sending source is not legitimate.
SPF Lookup Limit: The 10-DNS-Lookup Rule
SPF has a critical constraint: a maximum of 10 DNS lookups are allowed during SPF evaluation. Each include:, a, mx, and exists mechanism triggers a DNS lookup. If evaluation requires more than 10 lookups, SPF returns a permerror β treating the record as invalid.
This limit is easy to hit when you have many include: statements, especially since each one may itself trigger multiple lookups. The SPF lookup tool can show you how many lookups your record requires.
Fixing the too-many-lookup problem:
- Remove unused
include:entries (old services you no longer use) - Replace some
include:references with directip4:ranges (flattening the record) - Use an SPF flattening service that automatically resolves
include:chains to IP ranges
SPF and DMARC Alignment
SPF alone doesn't prevent header From spoofing. DMARC adds alignment checking:
- SPF alignment requires that the domain in the MAIL FROM (envelope sender) matches the From header domain (or a subdomain, in relaxed mode)
- Without alignment, an attacker could use a legitimate domain's SPF record for a different envelope sender while spoofing a different From header
SPF + DKIM alignment under DMARC provides the full protection stack. Use the DMARC Lookup tool to check your overall authentication configuration.
Tips for Managing SPF Records
Only include services you currently use. Every include: adds lookup overhead and complexity. Remove old services when you stop using them.
Use ~all until your sending sources are confirmed. -all is stricter but will reject legitimate email from any source you forgot to include. Start with ~all, verify all sources, then consider moving to -all.
You can have only ONE SPF record per domain. Multiple TXT records starting with v=spf1 cause a permanent error. If you need to add a new source, add it to the existing record β don't create a second one.
Monitor your SPF record after any email provider change. Adding a new tool that sends email, switching providers, or changing servers β all require SPF updates.
Frequently Asked Questions
What's the difference between SPF and DKIM? SPF verifies the sending IP is authorised by the domain. DKIM verifies the message wasn't tampered with and was signed by the domain. SPF checks at the network level; DKIM checks at the message level. Both should pass for strong authentication.
Can I have multiple all mechanisms?
No β all must be the last mechanism and there should only be one. Everything after all is ignored.
What happens if my domain has no SPF record? Without SPF, receiving servers get no guidance on which IPs are authorised. They may accept or reject based on their own policies. Phishing emails using your domain face no SPF-based obstacle. Always publish at least a minimal SPF record.
How do I know if my SPF record is correct?
Run the SPF lookup, verify all your sending services are included, check the lookup count is under 10, and test by sending an email and checking the authentication results in the headers (Authentication-Results: header).
Is the SPF lookup tool free? Yes β completely free, no sign-up required.
SPF is the first line of email authentication β and one of the most frequently misconfigured parts of email setup. The lookup tool shows you exactly what's in your record and helps diagnose why certain sending sources are failing authentication.
Try the SPF Lookup tool free at sadiqbd.com β check any domain's SPF record and authorised senders instantly.
