SPF Record Checker
Paste your domain's SPF TXT record and get a per-token breakdown of qualifiers (+ - ~ ?), mechanisms (a, mx, ip4, ip6, include, ptr, exists, all), modifiers (redirect, exp) plus a DNS-lookup count vs the RFC 7208 10-lookup limit and a colour-coded issues panel. 100% offline.
What is the SPF Record Checker?
SPF Record Checker is a paste-in validator for RFC 7208 SPF records (TXT values beginning with `v=spf1`). It tokenises the record, identifies each token as a mechanism (`a`, `mx`, `ip4`, `ip6`, `include`, `ptr`, `exists`, `all`) or modifier (`redirect`, `exp`), pulls out the qualifier prefix (`+` pass, `-` fail, `~` softfail, `?` neutral), parses CIDR masks (`/24`, `//64`), and validates IP address syntax. Critically, it counts the mechanisms that cause DNS lookups (`a`, `mx`, `ptr`, `exists`, `include`) against the RFC 7208 §4.6.4 hard limit of 10 — most SPF debugging is about staying under this limit, which `include` chains blow through fast. Issues panel surfaces common mistakes: missing `all` terminator (defaults to softfail), `all` not last (anything after it is ignored), `+all` (permit any sender — almost always wrong), invalid IP addresses, out-of-range CIDR masks, unknown mechanism or modifier names.
How to use it
- Get your domain's SPF record (dig: `dig +short example.com TXT | grep spf1`).
- Paste the TXT value (with or without surrounding quotes).
- Read the DNS-lookup count vs the 10-limit at the top.
- Browse the per-token table and the issues panel.
Benefits
- Tokenises any v=spf1 record into mechanisms + modifiers.
- Identifies qualifier prefix per mechanism: + pass / - fail / ~ softfail / ? neutral.
- Counts DNS-lookup-causing mechanisms (a, mx, ptr, exists, include) vs the RFC 7208 10-limit.
- Validates IP4 / IP6 syntax and CIDR mask range (0-32 / 0-128).
- Flags missing-`all`, `all`-not-last, and `+all` (permit any sender).
- Identifies the terminator and surfaces the result it produces.
- Quick-reference cards for the four qualifier types.
- Issue colour-coding: errors red, warnings amber, infos blue.
- Runs 100% in your browser — Toollyz has no server (we don't look up your DNS for you, just parse what you paste).
Frequently asked questions
What's an SPF record?
A DNS TXT record on your domain (or subdomain) starting with `v=spf1` that lists which mail servers are authorised to send mail using your domain in the envelope From. Receivers query SPF and reject (or quarantine) mail from unlisted servers.
What's the 10-lookup limit?
RFC 7208 §4.6.4 forbids SPF records from causing more than 10 DNS lookups during evaluation. Each `a`, `mx`, `ptr`, `exists` and `include` mechanism costs a lookup — and `include` recursively counts the included record's lookups too. Easy to bust.
How do I get under the 10-lookup limit?
Replace `include:` chains with the actual IP/CIDR ranges using `ip4:` or `ip6:`. Use a tool like dmarcian.com's SPF flattener. Or restructure your sending services to use one centralised mail relay.
Should I use -all or ~all?
Start with `~all` (softfail) while you're rolling out — receivers will mark unauthorised senders as spam but not reject. Once you're confident the record covers all legitimate sources, switch to `-all` (hard fail) for strongest protection.
What does +all do?
Permit any sender — effectively turning off SPF protection. Almost always a mistake. The exception: a parking domain with no expected mail.
Why does include: matter so much?
Each `include:` recursively pulls in another SPF record and adds its lookups to your count. `include:_spf.google.com` alone is multiple lookups.
What's the difference between SPF qualifier '+' and no qualifier?
They're equivalent — both mean 'pass'. The default qualifier is `+` when none is specified. `+ip4:1.2.3.4` and `ip4:1.2.3.4` are identical.
What about a/24 vs ip4:1.2.3.0/24?
`a/24` means 'the IP from the A record, treated as a /24 CIDR'. `ip4:1.2.3.0/24` is an explicit CIDR range. Use ip4 when you know the IPs; use a/24 when the IPs may change with DNS.
Does this query the SPF record from DNS?
No — we don't perform DNS lookups. Paste the record you want to check. Use `dig +short yourdomain.com TXT` to grab it.
Can I check DKIM and DMARC here too?
Not in this tool — separate tools coming. SPF is the most common to debug.
Is anything uploaded?
No. Parsing and validation run entirely in your browser.
Related tools
See all seo toolsEmail Header Analyzer
Parse raw email headers — SPF, DKIM, DMARC + hop chain timing.
DNS Lookup Tool
Resolve A, AAAA, MX, TXT, CNAME, NS, SOA and CAA records.
DKIM Record Checker
Paste DKIM TXT — validate tags, RSA key length, allowed hashes + service types.
DMARC Record Checker
Paste DMARC TXT — validate policy, alignment, percentage, report URIs; 0-100 score.