PublicDNS Tools

SPF Validator

Understanding Sender Policy Framework and email sender authentication.

What is SPF?

SPF (Sender Policy Framework) is an email authentication system used by receiving mail servers to verify that an email is sent by an authorized server for a domain.

Without SPF, anyone on the internet can send email pretending to be you@yourdomain.com. This is called email spoofing. SPF helps receiving mail servers detect and reject these forged messages.

SPF does not encrypt email and does not protect the message content. It only verifies whether the sending server is allowed to send mail for the domain in the sender address.

Where SPF is stored

SPF is published inside your domain’s DNS as a TXT record on the root domain.

Example SPF record:


```

yourdomain.com.    IN TXT    "v=spf1 ip4:192.0.2.15 include:_spf.google.com -all"
```

When a receiving mail server accepts a message, it extracts the IP address of the sending server and compares it with this record.

What this SPF Validator checks

The validator retrieves the SPF TXT record and performs basic structural validation:

  • Ensures the record starts with v=spf1
  • Detects multiple SPF records (invalid configuration)
  • Parses mechanisms such as ip4, ip6, include, a, and mx
  • Validates correct placement of the all mechanism
  • Detects common syntax mistakes

The tool is designed as a quick sanity check. It does not perform a full recursive DNS evaluation of all included records.

How SPF works during mail delivery

  1. A sending mail server connects to the receiving server
  2. The receiving server reads the sender domain
  3. The receiving server queries DNS for the SPF record
  4. The sending IP is compared to allowed mechanisms
  5. The message passes or fails SPF

The result is then used by spam filters to decide whether to trust the message.

SPF Mechanisms Explained

ip4 / ip6

Explicitly authorizes a specific mail server IP address. 

ip4:203.0.113.10

a

Allows the IP address of the domain’s A record to send email.

mx

Allows servers listed in the domain’s MX records to send email.

include

Imports the SPF policy of another domain. This is required when using external email providers such as cloud email platforms or newsletter services. 

include:_spf.provider.com

all

The all mechanism defines the default policy and should always be the last entry.

  • -all → Reject unauthorized senders (recommended)
  • ~all → Softfail (monitoring/testing)
  • ?all → Neutral
  • +all → Allows everyone (disables SPF protection)

Common SPF mistakes

  • Multiple SPF TXT records on the same domain
  • More than 10 DNS lookups (causes SPF PermError)
  • Forgetting to include cloud mail providers
  • Using +all unintentionally
  • Record exceeding DNS length limits

SPF Result Types

  • Pass — sending server is authorized
  • Fail — sender is not authorized
  • SoftFail — suspicious but accepted
  • Neutral — no clear policy
  • None — no SPF record found
  • PermError — invalid SPF configuration
  • TempError — temporary DNS problem

SPF Limitations

SPF alone does not fully secure email. It only validates the sending server and has several limitations:

  • Does not protect message content
  • Breaks when email is forwarded
  • Does not verify the visible “From” header

Because of this, SPF is typically used together with DKIM and DMARC.

Typical Use Cases

  • Troubleshoot emails going to spam
  • Verify correct configuration after migrating mail providers
  • Confirm allowed sending servers
  • Detect spoofing risks