SPF Record Lookup

Find the authorized email senders for any domain. Look up SPF records to verify sender configuration and check your domain's email authentication policy.

What is an SPF record?

SPF (Sender Policy Framework) is a DNS record type that specifies which mail servers and IP addresses are authorised to send email on behalf of a domain. When a receiving mail server gets an incoming message, it checks the sender's domain for an SPF record and verifies that the sending server's IP address is listed as an authorised source. If it is not, the message may be rejected or flagged as suspicious.

SPF records are published as TXT records in the domain's DNS zone. A domain can have only one SPF record. If multiple TXT records starting with v=spf1 exist, the SPF check will fail.

How SPF lookup works

When an email is received, the recipient's mail server extracts the sender's domain from the message envelope and queries DNS for that domain's TXT records. It then locates the SPF record and evaluates whether the sending server's IP matches any of the authorised entries. The result — pass, fail, soft fail, or neutral — influences how the message is handled. SPF alone is not always sufficient to confirm legitimacy; DKIM and DMARC records provide additional layers of authentication that work alongside SPF.

Understanding SPF record components

Every SPF record starts with v=spf1, which identifies the record version. This is followed by one or more mechanisms that define authorised senders. Common mechanisms include ip4 and ip6 for specific IP addresses, include for referencing another domain's SPF policy (commonly used for third-party email services), a for the domain's own A record, and mx for the domain's mail servers. Each mechanism can be prefixed with a qualifier that determines what happens when a match is found.

The record ends with an all mechanism that acts as a catch-all for any sender not matched by the earlier rules. -all (fail) is the strictest setting and rejects all unlisted senders. ~all (soft fail) accepts messages from unlisted senders but marks them as suspicious. +all permits everyone and effectively disables SPF protection.

Frequently Asked Questions

How do I look up an SPF record?

SPF records are stored as TXT records in a domain's DNS zone. Enter any domain name in the lookup tool above and it will query DNS in real time, locate the SPF TXT record, and display it in a structured, readable format — breaking down each mechanism and qualifier so you can see exactly which senders are authorised.

Are DKIM and SPF the same thing?

No — they are complementary but different mechanisms. SPF verifies that the sending server's IP address is authorised by the domain owner. DKIM (DomainKeys Identified Mail) uses cryptographic signatures attached to the email to verify that the message has not been tampered with in transit. Both are stored as TXT records in DNS. Using SPF, DKIM, and DMARC together provides the most complete email authentication coverage.

Why do I need an SPF record?

Without an SPF record, any server on the internet can send email claiming to be from your domain — a technique commonly used in phishing and spoofing attacks. Publishing an SPF record lets receiving mail servers verify that messages from your domain actually originate from your authorised servers, significantly reducing the chance of your domain being used to send fraudulent email and improving the deliverability of your legitimate messages.

What do the SPF qualifier results mean?

Each mechanism in an SPF record can be prefixed with a qualifier that determines what happens when a sending IP matches it. A Pass (+) means the sender is authorised and the message should be accepted. A Fail (-) means the sender is not authorised and the message should be rejected. A Soft Fail (~) means the sender is probably not authorised — the message may be accepted but flagged or moved to spam. A Neutral (?) result means no assertion is made about the sender's legitimacy, and the receiving server can handle the message however it chooses.

How does SPF protect against spoofing?

When a receiving mail server checks an incoming message, it looks up the SPF record for the sender's domain and verifies that the connecting server's IP address is listed as an authorised source. If the IP is not listed and the record ends with -all, the message is rejected outright. This prevents attackers from sending emails that appear to come from your domain using unauthorised servers, protecting both your recipients and your domain's reputation.

Can a domain have more than one SPF record?

No. DNS allows only one SPF record per domain. If multiple TXT records beginning with v=spf1 are published, the SPF evaluation will result in a permanent error, causing messages to fail authentication checks. If you need to authorise multiple senders, all of them must be combined into a single SPF record using include mechanisms or by listing IPs directly.