SPF Validator
Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses during the delivery of email. SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.
SPF Validator Tool
Our SPF Validator tool helps you check if your SPF record is correctly configured and valid.
Use SPF ValidatorWhat is SPF?
Sender Policy Framework (SPF) is an email authentication protocol that helps prevent email spoofing. It allows domain owners to specify which mail servers are authorized to send email on behalf of their domain by creating a specific SPF record in the domain's DNS.
When a receiving mail server gets an email, it checks the sender's domain SPF record to verify if the sending mail server is authorized to send email for that domain. If the check fails, the email may be marked as spam or rejected.
How SPF Works
- Publishing: The domain owner publishes an SPF record in their domain's DNS, listing the authorized mail servers.
- Checking: When an email is received, the receiving mail server extracts the sender's domain from the "Return-Path" (also known as "MAIL FROM" or envelope sender).
- Verification: The receiving server looks up the SPF record for the sender's domain.
- Evaluation: The receiving server checks if the IP address of the sending server is listed in the SPF record.
- Result: Based on the evaluation, the SPF check returns one of several results: Pass, Fail, SoftFail, Neutral, None, PermError, or TempError.
- Action: The receiving server takes action based on the result, according to its own policies.
SPF Record Syntax
An SPF record is a TXT record in your domain's DNS. The basic syntax is:
v=spf1 [mechanisms] [qualifier]allWhere:
v=spf1- Version of SPF being used (currently only version 1)mechanisms- Rules that identify authorized sending serversqualifier- Optional character that specifies the policy for a mechanism (+ for Pass, - for Fail, ~ for SoftFail, ? for Neutral)all- Matches everything not matched by other mechanisms
SPF Mechanisms
SPF mechanisms are used to identify authorized sending servers. Here are the common mechanisms:
| Mechanism | Description | Example |
|---|---|---|
a | Matches if the sender IP is one of the A records for the sending domain | a:example.com |
mx | Matches if the sender IP is one of the MX records for the sending domain | mx:example.com |
ip4 | Matches if the sender IP is in the specified IPv4 range | ip4:192.0.2.0/24 |
ip6 | Matches if the sender IP is in the specified IPv6 range | ip6:2001:db8::/32 |
include | Includes the SPF record from another domain | include:_spf.example.com |
exists | Matches if the specified domain has any A record | exists:example.com |
redirect | Redirects to another domain's SPF record | redirect=_spf.example.com |
all | Matches everything not matched by other mechanisms | -all |
SPF Qualifiers
Each mechanism can have a qualifier that specifies what action to take when the mechanism matches. If no qualifier is specified, the default is + (Pass).
| Qualifier | Result | Description |
|---|---|---|
+ (default) | Pass | The sender is authorized |
- | Fail | The sender is not authorized and the email should be rejected |
~ | SoftFail | The sender is not authorized, but the email should be accepted with caution |
? | Neutral | The sender's authorization is explicitly neutral |
SPF Record Examples
Basic SPF Record
v=spf1 ip4:192.0.2.0/24 -allThis record authorizes emails sent from IP addresses in the range 192.0.2.0/24 and rejects all others.
SPF Record with Multiple Mechanisms
v=spf1 a mx ip4:192.0.2.0/24 include:_spf.example.com -allThis record authorizes emails sent from the domain's A records, MX records, the specified IP range, and any IPs authorized by _spf.example.com's SPF record.
SPF Record for Google Workspace
v=spf1 include:_spf.google.com -allThis record authorizes Google Workspace to send email on behalf of your domain.
SPF Record with SoftFail
v=spf1 ip4:192.0.2.0/24 ~allThis record authorizes emails sent from IP addresses in the range 192.0.2.0/24 and marks all others as SoftFail (should be accepted but marked as suspicious).
SPF Record with Redirect
v=spf1 redirect=_spf.example.comThis record redirects to the SPF record of _spf.example.com.
SPF Best Practices
Use a strict policy
End your SPF record with -all to explicitly reject unauthorized senders. If you're just starting with SPF, you can use ~all (SoftFail) during the transition period.
Include all legitimate senders
Make sure your SPF record includes all services that send email on behalf of your domain (your mail server, marketing platforms, CRM systems, etc.).
Avoid exceeding lookup limits
SPF has a limit of 10 DNS lookups per evaluation. Each include, a, mx, ptr, exists, and redirect mechanism counts as a lookup. If you exceed this limit, your SPF record may fail to validate.
Avoid using the ptr mechanism
The ptr mechanism is inefficient and can cause performance issues. It's generally recommended to avoid using it.
Regularly validate your SPF record
Use our SPF Validator tool to regularly check your SPF record for syntax errors, lookup limit issues, and other problems.
Implement SPF alongside DKIM and DMARC
For the most comprehensive email authentication, implement SPF alongside DKIM and DMARC. These three protocols work together to provide the best protection against email spoofing.
Common SPF Issues
Too many DNS lookups
SPF has a limit of 10 DNS lookups per evaluation. If you exceed this limit, your SPF record may fail to validate. To fix this, you can consolidate your includes or use IP addresses directly.
Multiple SPF records
A domain should have only one SPF record. If you have multiple SPF records, some mail servers may reject your emails. To fix this, consolidate all your SPF mechanisms into a single record.
Missing authorized senders
If your SPF record doesn't include all services that send email on behalf of your domain, emails from those services may be rejected. To fix this, update your SPF record to include all legitimate senders.
Syntax errors
SPF records must follow a specific syntax. Common errors include missing spaces, incorrect qualifiers, and invalid mechanisms. Use our SPF Validator tool to check for syntax errors.
Overly permissive policy
Ending your SPF record with ?all (Neutral) or +all (Pass) allows anyone to send email from your domain. This defeats the purpose of SPF. Use -all (Fail) or ~all (SoftFail) instead.
SPF Validation Tool
Our SPF Validator tool helps you check if your SPF record is correctly configured and valid. It checks for:
- Syntax errors
- DNS lookup limit issues
- Multiple SPF records
- Overly permissive policies
- Other common SPF issues
Next Steps
To learn more about email authentication, explore:
- DKIM Validator - Understand DKIM implementation and validation
- DMARC Analyzer - Explore DMARC policies and reporting
- Email Authentication Best Practices - Comprehensive guide to email security