DNS records and worldwide DNS propagation checker

SPF Checker

SPF (Sender Policy Framework) Validation tool allows users to determine whether there exists some SPF record in type TXT of DNS records of the subjected domain or host. The validation is done by validating the format of SPF records of the domain and determining if the data is valid and should be working or not.

About SPF Record Tester - Prevent Spoofing & Improve Email Reliability

What is an SPF record?

SPF stands for Sender Policy Framework. It's a TXT record added to a domain DNS record that specifies the IP addresses allowed to send emails on behalf of the domain. It enables the domain to announce the list of approved senders publicly.

The SPF record does not validate against the From domain. Instead, it looks at the Return-Path to validate the originating server. Return-Path is the mailing address that receiving mail servers use to notify the problems like delivery problems to the sending mail servers. Therefore, your email can pass the SPF record validation even if From address is fake. The only limitation is that the recipient sees the From address in its email client.

So if the message fails SPF validation, there is no guarantee that it would not be delivered. The receiving ISP takes the final decision. Therefore, SPF is one of the many factors that determine either email should be delivered or not. However, when it comes to verifying the From address, DMARC is relatively more reliable than SPF.

How do SPF record checks help?

The battle against spam and email scam continues. With time, several standards have developed to stop that practices. Sender Policy Framework or SPF is one of those standards.

SPF record determines which email servers are authorized to send the email(s) on the domain's behalf. Results in preventing spoofing and phishing attacks against the email domain. The SPF record describes the DNS record in a particular format to list all the hosts allowed to send the emails on the domain's behalf.

An email can be delivered without SPF authentication. It's not a perfect solution and ultimate problem resolver. However, if combined with DKIM and DMARC, it can improve your email delivery rate and prevent abuse.

How do SPF records work?

The process is quite simple. Suppose an email server receives the message and checks its Return-Path. Suppose that path is [email protected]. To perform the SPF lookup or to validate the SPF record, the following steps take place.

  1. The receiving email server retrieves the SPF record from the DNS records for the domain example.com.
  2. The receiving server then verifies the SPF record for all the IP addresses authorized to send an email(s) on behalf of the domain.
  3. If the SPF check passes, the receiving server considers it a trusted email. It may be confident the message was sent from an approved sending server and will continue its processing.
  4. If the SPF check fails, the message is considered illegitimate and processed as per the receiving server's failure process.

How to implement an SPF record on your domain?

Implementing an SPF record is an easy process. It's a TXT record that you need to add to your DNS record. One common mistake that people usually make is setting the multiple SPF TXT entries in their DNS records, making the receiving server challenging to know which SPF record is the definitive one. That results in failing SPF record validation.

So, whenever you want to add the SPF TXT record for the new server. Always make sure to delete the existing SPF record entry. Just add the new service to that entry.

Example of an SPF record

An SPF syntax looks like this: v=spf1 include:_spf.google.com ~all

v=spf1 is the version of the SPF record being used followed by one or mechanisms. The mechanisms that follow are checked left to right, and these specify different rules on how SPF is checked for the domain.

The SPF record for some popular email services is as follows.

  • Email Provider
    SPF record
  • v=spf1 include:send.aweber.com ~all
  • v=spf1 include:amazonses.com ~all
  • v=spf1 include:spf.messagingengine.com ?all
  • v=spf1 include:_spf.google.com ~all
  • v=spf1 a mx include:secureserver.net ~all
  • v=spf1 include:u123456.wl.sendgrid.net -all
  • v=spf1 include:spf.mandrillapp.com ?all
  • v=spf1 include:spf.protection.outlook.com -all
  • v=spf1 include:mailgun.org ~all
  • v=spf1 include:spf.mailjet.com ~all
  • v=spf1 include:_spf.mlsend.com ~all
  • v=spf1 include:emailsrvr.com ~all
  • v=spf1 include:zoho.com -all
  • v=spf1 include:mail.zendesk.com ?all

How to validate and perform SPF record lookup?

To validate the SPF record. Perform the following steps.

  • Open the SPF Checker & SPF Lookup tool.
  • Enter the domain/host address in the space provided for that purpose and click the "SPF Record Validate" button.
  • The tool will perform the SPF lookup for record validation and will validate the SPF record on the following checks.
    1. Require the SPF record in the DNS so that it can validate it.
    2. Check for the multiple SPF records. It is not permitted to publish multiple SPF records.
    3. Check the SPF string length. It has a 255 characters string limit.
    4. When using SPF, it's only possible to perform 10 (nested) DNS lookups.
    5. Check whether the PTR mechanism is used. It's not advised to use PTR as this is a deprecated one, and several senders may ignore the SPF record when this method is used.
    6. The domain has published the SPF record in a DNS type "SPF".
    7. Check for the "+all" mechanism. That means that anyone can send an email on your behalf. This setup is discouraged.
    8. No items after 'all' mechanism.