Skip to content
D1
EN

Email authentication

SPF Validator

Validate a domain SPF record, parse mechanisms, terminal all, lookup count and configuration warnings.

Need SPF, DMARC, and DKIM together? Run full email auth audit → Email Auth Checker

This form calls the relative endpoint: /site-api/tools/spf

How to use this tool

  1. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  2. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  3. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  4. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  5. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.
  6. SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. Start at the organizational domain, list every authorized sender, prefer include for SaaS providers, end with -all or ~all, stay under ten DNS lookups, then validate DMARC alignment before enforcement. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

What the result shows

The result is split into the signals that matter for this specific check.

FieldPurposeExample
DomainSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Enter the apex domain that appears in the visible From header.
Query nameSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Confirm exactly one v=spf1 TXT record is published.
FoundSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Review parsed mechanisms, terminal all, and lookup count.
ValidSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Remove deprecated ptr and permissive +all when possible.
Terminal allSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Pair the result with DMARC and DKIM checks on the same domain.
MechanismsSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Re-run after DNS TTL once includes are verified.
DNS lookup countSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Enter the apex domain that appears in the visible From header.
Raw recordSPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.Confirm exactly one v=spf1 TXT record is published.

When this check helps

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Use the validator during ESP onboarding, Microsoft 365 or Google Workspace migrations, DMARC rollout, deliverability incidents, and vendor questionnaires. SPF is only half of authentication — DMARC still needs aligned DKIM or SPF results at the From domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

What to review when results look wrong

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

If no record appears, query the apex TXT directly — not _dmarc or a selector. When multiple v=spf1 strings exist, merge authorized sources into one record because receivers may reject ambiguous publications. After edits, wait for TTL and compare the raw TXT field against dig +short TXT example.com. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

How to interpret the result

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

SPF (Sender Policy Framework) is published as a single TXT record at the domain apex starting with v=spf1. Receivers evaluate it during SMTP to decide whether the connecting IP is authorized to send mail for that domain. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Recommended workflow

  1. Enter the apex domain that appears in the visible From header.
  2. Confirm exactly one v=spf1 TXT record is published.
  3. Review parsed mechanisms, terminal all, and lookup count.
  4. Remove deprecated ptr and permissive +all when possible.
  5. Pair the result with DMARC and DKIM checks on the same domain.
  6. Re-run after DNS TTL once includes are verified.

Tool vs manual checks

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "include mechanisms and third-party senders", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "terminal all qualifiers and fail modes", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "multiple SPF TXT records", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "DNS lookup limits and flattening", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "SPF alignment with DMARC", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

dig TXT example.com shows raw strings but does not parse mechanisms, warn on +all, or estimate lookup depth. DNS Checker lists all TXT values yet lacks SPF-specific validation. DN01 uses the same Go parser as the production API and returns shareable result pages. For "ip4, ip6, mx, and ptr mechanisms", treat the apex TXT as the contract receivers enforce at SMTP time. Document each mechanism, confirm lookup cost, and verify the terminal all matches your risk posture. After DNS changes, re-run the same domain to prove the publication is singular, syntactically valid, and ready for DMARC alignment.

Why use DN01

  • Live apex TXT lookup
  • Mechanism parsing and lookup estimate
  • Multiple-record and syntax errors
  • Warnings for ptr and permissive all
  • Pairs with DMARC and DKIM tools
  • Shareable SPF result URL

FAQ

SPF validator FAQ

v=spf1 TXT records, include mechanisms, terminal all, lookup limits and DMARC alignment.

What is an SPF DNS record?

SPF is a TXT record starting with v=spf1 that lists authorized mail sources using mechanisms such as include, ip4, mx, and all. SPF TXT basics guide

Where should SPF be published?

Publish exactly one SPF record at the domain apex (example.com), not at _dmarc or DKIM selectors.

What does -all vs ~all mean?

-all hard-fails unauthorized senders; ~all soft-fails (common during rollout); +all and ?all are permissive and risky for production.

How does DN01 validate SPF?

DN01 queries live apex TXT, finds v=spf1, parses mechanisms, estimates DNS lookups, and flags syntax or policy issues.

How does SPF relate to DMARC and DKIM?

SPF proves envelope authorization; DKIM signs messages; DMARC checks alignment and policy. Use all three tools on the same domain before enforcement.

Why do multiple SPF records fail?

Receivers may permerror when more than one v=spf1 TXT exists—merge includes into a single record.

Tool switcher

Pick the next step in your domain or security workflow.

Full tool catalog

Guides

Practical guides for common SPF Validator tasks — DNS records, troubleshooting steps, and links to our free tools.

Back to SPF Validator