Free Tool

SPF Record Validator

Check any domain's SPF record for errors, analyze mechanisms, and verify you're under the 10-DNS-lookup limit.

What is SPF?

SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email, it checks the SPF record of the sender's domain to verify the email came from an authorized server.

An SPF record starts with v=spf1 and contains a list of mechanisms like include:, ip4:, a, and mx, ending with an all mechanism.

The 10 DNS Lookup Limit

SPF is limited to 10 DNS lookups per evaluation (RFC 7208). Each include:, a, mx, and redirect= counts as one lookup. Exceeding this limit causes a permerror, which means SPF effectively fails for your domain.

SPF and Email Forwarding

SPF fundamentally breaks when email is forwarded. The forwarding server's IP isn't in the original sender's SPF record, so SPF fails. This is why SRS (Sender Rewriting Scheme) exists — it rewrites the envelope sender so SPF checks the forwarding server's domain instead.

ARC-Relay uses SRS automatically, so your forwarded emails always pass SPF at the destination.

Fix your forwarding with ARC-Relay

Frequently Asked Questions

How do I fix 'too many DNS lookups' in my SPF record?
The SPF 10-lookup limit counts include:, a, mx, redirect=, and exists: mechanisms. To reduce lookups: replace include: with ip4:/ip6: for services with stable IPs, remove unused include: entries, use SPF flattening services, or split across subdomains.
What is the difference between ~all and -all in SPF?
-all (hardfail) tells receivers to reject emails from unauthorized servers. ~all (softfail) suggests marking them as suspicious but delivering anyway. Most modern providers treat both similarly, but -all is recommended for clear authorization. Use ~all only during initial deployment.
Does SPF check the From header or the envelope sender?
SPF checks the envelope sender (MAIL FROM / Return-Path), not the visible From header. This is why SPF alone cannot prevent display-name spoofing. DMARC bridges this gap by requiring either SPF or DKIM to align with the From header domain.
Why does SPF break when I forward email?
When a server forwards email, the receiving server sees the forwarding server's IP, which is not in the original sender's SPF record. The envelope sender still points to the original domain, but the IP check fails. SRS (Sender Rewriting Scheme) solves this by rewriting the envelope sender. ARC-Relay applies SRS automatically.
Can I use both SPF and DKIM?
Yes, and you should. SPF validates the sending server IP, while DKIM validates message integrity with a cryptographic signature. Together with DMARC, they form the complete email authentication stack. DMARC requires at least one of SPF or DKIM to pass and align with the From domain.

More Free Tools

DMARC Record Checker
Analyze your DMARC policy and get recommendations
Email Header Analyzer
Paste email headers for a human-readable breakdown
DKIM Record Checker
Look up and validate DKIM records by selector
Email Deliverability Tester
Test your email deliverability and authentication setup