Free Tool
SPF Record Checker
Review your SPF DNS record and find sender authorization mistakes that can hurt deliverability or spoofing protection.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
SPF Presence
Checks whether the domain publishes a valid SPF TXT record.
Sender Scope
Reviews include, ip4, ip6, mx, and a mechanisms used to authorize senders.
Lookup Limit
Flags configurations that may approach or exceed the 10 DNS lookup limit.
Fail Policy
Explains the practical difference between softfail and fail endings.
Recommended Baseline
One Record
Publish exactly one SPF record for the domain.
Senders
Include only services that are actually allowed to send mail.
Lookup Limit
Keep SPF DNS mechanisms below the 10 lookup limit.
DMARC
Pair SPF with DKIM and DMARC for stronger spoofing protection.
FAQ
What is an SPF record?
SPF is a DNS TXT record that lists which mail servers are allowed to send email for your domain.
What does SPF fail mean?
A fail policy tells receivers that unauthorized senders should be rejected or treated as invalid, depending on receiver behavior and DMARC alignment.
What is the SPF DNS lookup limit?
SPF evaluation has a limit of 10 DNS lookups. Too many include mechanisms can cause permerror results and weaken deliverability.
Does SPF alone stop spoofing?
No. SPF is strongest when combined with DKIM and DMARC, especially with a DMARC policy that moves beyond monitoring.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.