SPF Lookup & Generator
Look up existing SPF records for any domain or build a new v=spf1 TXT record with the interactive generator
include: entries for email services (ESP, CRM, etc.)Add this as a TXT record on your domain's DNS with the host/name set to @ (or leave blank):
Frequently Asked Questions
v=spf1. When a receiving mail server gets an email, it checks the SPF record to verify the sending server is authorized. This reduces email spoofing and improves deliverability.~all (SoftFail) means emails from unlisted servers are accepted but marked as suspicious. -all (HardFail) instructs receivers to reject emails from any server not listed in the SPF record. Start with ~all while setting up to avoid blocking legitimate email, then switch to -all once you're confident all senders are listed. Always pair SPF with DMARC for full protection.include:, a, mx, and ptr mechanism counts as one lookup (and included records may themselves contain additional lookups). Exceeding 10 lookups causes an SPF PermError, which many servers treat as a fail. Use ip4: and ip6: mechanisms directly (they don't count as lookups) to stay within the limit.p=none, p=quarantine, p=reject). This triple combination is required by Google and Yahoo for bulk senders since 2024.About SPF Records
What This Tool Does
The SPF Lookup tab queries DNS TXT records for any domain and extracts the SPF record, showing both the raw string and a human-readable breakdown of every mechanism. The SPF Generator builds a valid v=spf1 record interactively β you can also load an existing record into the generator by clicking Edit in Generator after a lookup.
SPF Mechanism Reference
| Mechanism | Description |
|---|---|
a | Allow the domain's A/AAAA records |
mx | Allow the domain's MX servers |
include: | Inherit rules from another domain |
ip4: | Allow a specific IPv4 or CIDR range |
ip6: | Allow a specific IPv6 or CIDR range |
redirect= | Delegate entirely to another domain's SPF |
SPF Qualifier Reference
+ Pass
The sender is authorized. This is the default qualifier β most mechanisms omit it. Email is delivered normally.
- Fail
The sender is not authorized. The receiving server should reject the email. Used at the end as -all.
~ SoftFail
The sender is probably not authorized. Email is accepted but marked as suspicious. Best practice during initial setup (~all).
? Neutral
No policy stated. The domain owner makes no assertion about whether the sender is authorized. Receivers treat this like no SPF record.
SPF in the Email Authentication Ecosystem
SPF
Verifies the sending server IP is authorized to send on behalf of the domain. Checked in the envelope From (MAIL FROM). Does not survive email forwarding.
DKIM
Adds a cryptographic signature to the email header, verified via a public key in DNS. Survives forwarding. Proves the message content hasn't been tampered with.
DMARC
Ties SPF and DKIM together. Defines what to do when checks fail (none, quarantine, reject). Provides aggregate reports on who is sending email for your domain.
All three are required by Google and Yahoo for bulk senders (2024+). Start with SPF β add DKIM β enforce with DMARC.
The Email Authentication Stack
SPF is the first layer of email authentication. Combined with DKIM, DMARC, and BIMI it forms a complete protection and branding chain for your domain.
| Protocol | What it authenticates | DNS Record | Our Tool |
|---|---|---|---|
| SPF | The sending server's IP address is authorized to send for the domain | TXT at root domain |
This tool |
| DKIM | The message was cryptographically signed by an authorized sender and not altered | TXT at {selector}._domainkey.{domain} |
DKIM Checker |
| DMARC | SPF/DKIM alignment with the visible From: header β sets enforcement policy and reporting |
TXT at _dmarc.{domain} |
DMARC Lookup & Generator |
| BIMI | Displays the domain's brand logo in supporting email clients once SPF, DKIM, and DMARC all pass | TXT at default._bimi.{domain} |
BIMI Lookup & Generator |
| MX | Where inbound email for the domain should be delivered | MX at root domain |
MX Lookup |
