Dr.Who

spf checker

find and parse a domain's SPF (sender policy framework) record. part of the drwho.me domain dossier.

spf

info
Open standalone →

resolving…

Overview

spf (RFC 7208) lets a domain owner publish, via a single TXT record at the apex, which hosts are authorized to send mail on its behalf. the record begins with `v=spf1` and is followed by mechanisms (`include`, `a`, `mx`, `ip4`, `ip6`, `exists`, `ptr`) and a final `all` with a qualifier (`+` pass, `~` softfail, `-` fail, `?` neutral). receivers evaluate mechanisms left-to-right and apply the first match. this tool queries the TXT rrset via cloudflare's doh resolver, concatenates the quoted segments doh returns (spf strings are published as one or more 255-byte chunks), filters for the single record starting with `v=spf1`, and splits it into its mechanisms.

How to use

  1. enter a bare domainpublic fqdn only. no schemes, ports, paths.
  2. run the checka single TXT doh query at the apex, then filtered for `v=spf1`.
  3. read the mechanismsleft-to-right evaluation. the final `all` qualifier decides what happens to unmatched senders.

Examples

example 1 — google workspace delegates its sender set through a single include.
input
google.com
output
v=spf1 include:_spf.google.com ~all
example 2 — mixes an explicit ip4 range with two includes and a hard fail.
input
github.com
output
v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:spf.protection.outlook.com -all

Common mistakes

  • multiple spf records are forbidden RFC 7208 §3.2 requires exactly one `v=spf1` TXT record at the apex. some operators split policies into two records thinking it helps — receivers are required to treat that as permerror. this tool reports it as an error.
  • 10-DNS-lookup limit each `include`, `a`, `mx`, `exists`, `ptr`, and `redirect` costs one dns lookup during evaluation. the total across the whole record (including nested includes) must stay at or below 10, or receivers return permerror. this tool surfaces the record but does not yet walk includes to count lookups.
  • `~all` vs `-all` vs `?all` `-all` is a hard fail — receivers should reject. `~all` is a softfail — accept but mark suspicious. `?all` is neutral — no opinion. `+all` is authorize-everything and is almost always wrong. dmarc policy amplifies whichever you pick.

FAQ

why does the tool flag multiple spf records as an error?

RFC 7208 §3.2 forbids it. conformant receivers treat multi-record cases as permerror, so mail from the domain may fail delivery until it's collapsed into one.

does spf alone stop spoofing?

no. spf authenticates the envelope sender (RFC 5321 MAIL FROM), not the visible From: header. pairing spf with dkim and publishing a dmarc policy is what closes the gap.

what if the record is split across quoted segments?

doh returns long TXT values as multiple quoted strings separated by whitespace; the spec says receivers must concatenate them with no separator. the tool does that before parsing, so `"v=spf1 include:_spf.google.com " "-all"` becomes `v=spf1 include:_spf.google.com -all`.

why is `ptr` considered harmful?

`ptr` forces the receiver to do reverse-dns on the connecting ip, which is slow and unreliable. RFC 7208 explicitly discourages it. prefer `ip4`/`ip6` ranges or `include`.

can a subdomain have its own spf record?

yes. spf is checked at whatever name appears in the MAIL FROM, so a subdomain publishes its own TXT. this tool checks the apex you entered — query `mail.example.com` directly if that's the sender.

Related tools

  • dns lookup resolve A, AAAA, MX, TXT, NS, or CNAME records via Cloudflare DoH.
  • dns records lookup resolve A, AAAA, NS, SOA, CAA, and TXT records for a domain in one go.
  • mx lookup list the mail exchangers (MX records) a domain advertises, sorted by priority.

References

  1. RFC 7208 — SPF
  2. dmarc.org — SPF overview
ad slot · tool-spf-checker