MedhaCloud
Full Scan
MX Lookup
SPF
DMARC
DKIM
BIMI
SPF Generator
DMARC Generator
DKIM Generator

SPF Checker

Run full email scan

About SPF Checker

This tool parses your SPF record, expands every include / a / mx / ptr mechanism recursively, counts DNS lookups against the 10-lookup limit, and validates syntax. Queries are made directly against authoritative name servers, so changes show up instantly. Cross-checked against DMARC + DKIM alignment in the same scan.

How the SPF check works

Parses every mechanism, counts every lookup

01

Fetch the TXT record

Browser-side DoH query to Google + Cloudflare resolvers. Returns the full v=spf1… string with no truncation.

02

Parse and count

Each include:, a, mx, ptr, and exists mechanism is counted against the 10-lookup limit. We expand nested includes (Microsoft, Google, Mailgun, etc.) recursively.

03

Validate + score

Detects "+all" (open relay), missing all mechanism, void lookups, multiple SPF records, and syntax errors. Shows exact recommendations.

Common SPF errors this catches

Why your SPF record fails authentication

Too many DNS lookups (10+ limit)

The single most common SPF break. Chained includes for Google + Microsoft + Mailgun + Salesforce push you past 10. Result: PermError, all SPF fails. Fix: flatten or drop unused includes.

Multiple SPF records on one domain

You can only have ONE SPF TXT record per domain. Two records = invalid SPF, all mail fails authentication. Combine them into one v=spf1 string.

Missing or weak "all" mechanism

Records ending in +all act as open relays — spammers love them. ?all is neutral, useless. ~all is OK during rollout. -all is the production target.

+all (open relay)

Tells receivers to accept mail from any source claiming to be your domain. Anyone can spoof you. Almost always a misconfiguration.

Invalid syntax

Missing v=spf1 prefix, unescaped colons, typos in include: hostnames. Receivers fail on PermError. We catch every syntax violation.

Stale includes after vendor change

You stopped using Mailgun two years ago but include:spf.mailgun.org is still there eating a lookup. Audit and remove.

FAQ

SPF checker — common questions

What is an SPF record?+
An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorized to send email on behalf of your domain. Receiving servers check SPF to decide whether incoming mail is legitimate or spoofed.
What does "too many DNS lookups" mean in my SPF record?+
SPF has a hard limit of 10 DNS lookups per record (mechanisms like include:, a, mx, ptr, exists each count as one). If you exceed 10, the record returns PermError and email authentication fails. Common cause: chained include: statements from Google, Microsoft, and a third-party ESP all in one record. Fix: SPF flattening or removing redundant includes.
What is the difference between -all, ~all, and ?all?+
-all (hard fail) tells receivers to reject mail that fails SPF — the strongest setting. ~all (soft fail) marks failed mail as suspicious but still delivers it — used during rollout. ?all (neutral) means "no opinion" and provides no protection. Production domains should use -all once SPF is verified working.
Why do I need both SPF and DKIM?+
SPF authenticates the SMTP envelope sender (Return-Path), DKIM cryptographically signs the message itself. SPF breaks when emails are forwarded; DKIM survives forwarding. DMARC requires at least one of them to pass for alignment, so most production domains run both.
How often should I check my SPF record?+
Re-check whenever you (1) add a new email vendor — CRM, marketing platform, ticketing tool, (2) change email providers (Google ↔ Microsoft), (3) get bounce reports or DMARC failure reports, (4) renew SSL/DNS providers. Otherwise quarterly is fine for established domains.

Single-protocol tools

Need just one protocol?

DMARC Checker
Verify DMARC policy + reports
DKIM Checker
Inspect DKIM signing keys
MX Lookup
Check MX records + priority
Full email security scan
All 7 checks in one report

Beyond Free Tools

Enterprise Cloud & IT Services

From Microsoft 365 migrations to fully managed infrastructure — we handle every layer of your IT stack.

Migration Tools We Use

Enterprise-grade tooling for every platform

  • BitTitan MigrationWizCloud-to-cloud email & data
  • Microsoft Exchange HybridOn-prem to Exchange Online
  • ShareGate DesktoolSharePoint & OneDrive
  • Microsoft Mover.ioGoogle Drive to OneDrive
  • Entra ID ConnectAD sync & hybrid identity
  • PowerShell & EWS APIAutomation & bulk ops
M365 Migration Services

Our Services

More Services

Contact Us