Plunk logo
Plunk
§ T-04  —  Tool← All tools

SPF record
checker

Look up and validate your domain's SPF record. Get a full breakdown of your sending policy and catch misconfigurations before they hurt deliverability.

SPF record lookup

Enter the domain without http:// or www.

§ 01SPF explained

How SPF protects your domain.

SPF is the first line of defence against email spoofing and phishing.

Authorise senders

SPF lets you publish a list of mail servers allowed to send on your behalf. Any server not on the list fails SPF validation.

Prevent spoofing

Without SPF, anyone can claim to send email from your domain. SPF makes it possible for receiving servers to detect and reject spoofed messages.

10 lookup limit

SPF allows at most 10 DNS lookups per evaluation. Exceeding this causes a PermError, making SPF permanently fail. Monitor your lookup count carefully.

SPF is not enough alone

SPF validates the envelope sender, not the visible From header. You need DMARC to tie SPF (and DKIM) results to the From header and actually block spoofed email.

One record only

A domain must have exactly one SPF TXT record. Multiple v=spf1 records cause a PermError. Merge all sending sources into a single record.

Hard fail vs softfail

-all (hard fail) instructs servers to reject non-matching mail. ~all (softfail) marks it as suspicious. Use -all in production once all senders are listed.

SPF, DKIM, and DMARC — handled.

Plunk guides you through domain authentication setup and monitors your sending reputation. Start free, no credit card required.

Start with PlunkWhat is SPF?

Frequently asked questions

What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. Receiving mail servers check this record to verify that incoming email claiming to be from your domain was sent by an authorised server. Without SPF, anyone can spoof your domain in the From address.

What does -all vs ~all mean?

-all (hard fail) instructs receiving servers to reject any email not matching your SPF record. ~all (softfail) marks non-matching emails as suspicious but still delivers them. For production domains, -all is recommended once all your legitimate sending sources are added.

Why is there a 10 DNS lookup limit?

RFC 7208 limits SPF to 10 DNS lookups to prevent denial-of-service attacks and excessive DNS load. Each include, a, mx, ptr, and exists mechanism counts as one lookup. Exceeding 10 lookups causes a PermError, which effectively makes SPF fail for your domain.

Can I have multiple SPF records?

No. Having more than one SPF (v=spf1) TXT record on your domain causes a PermError and breaks SPF authentication. If you need to authorise multiple senders, combine everything into a single SPF record using multiple mechanisms.

Does SPF alone protect against spoofing?

SPF alone is not enough. SPF only validates the envelope sender (the "Return-Path" address), not the visible "From" header. DMARC is required to connect SPF (and DKIM) validation to the From header and actually prevent spoofing of your visible sender address.