ValidEmailChecker

What does the SPF Record Checker actually look up?

Last updated May 19, 2026Free tools

The Valid Email Checker SPF Record Checker is a thin client that runs entirely in your browser. When you click Check, it makes a single DNS-over-HTTPS request to dns.google asking for all TXT records on the apex domain you typed, scans the response for the one that starts with v=spf1, and parses that record into mechanisms and a failure policy. Nothing is sent to our servers — the lookup goes from your browser straight to Google Public DNS and back.

The actual request

Under the hood the tool calls https://dns.google/resolve?name=<your-domain>&type=TXT and reads the Answer array. TXT records can hold lots of unrelated content (verification tokens for Google, Stripe, GitHub, and dozens of other services often live alongside SPF), so the parser filters specifically for entries whose data field starts with v=spf1. That is the canonical signature of an SPF record.

What it parses out of the record

  • Authorized senders — every include:, ip4:, ip6:, a, mx, and exists: mechanism, listed in the order they appear in the record.
  • Failure policy — the trailing -all, ~all, ?all, or +all. Each gets a color-coded badge: green for strict, amber for soft, gray for neutral, red for "allow everyone".
  • Raw record — the exact TXT value as published in DNS, with a one-click copy button.

What it deliberately does not do

Three things the checker is not designed for and never claims to do:

  • Recursive `include:` resolution. If your record includes _spf.google.com, the tool shows that include but does not crawl into Google's SPF record to count its lookups. Use a dedicated SPF flattener for that.
  • 10-lookup limit enforcement. SPF caps the total number of DNS lookups at 10. The tool does not flag overruns directly — it shows you the mechanisms so you can count manually.
  • Server-side caching. Every lookup hits Google Public DNS live. If you just published a record, it appears the moment Google resolvers see it.

Privacy posture

Valid Email Checker does not log which domains you check. The request never touches our servers — it is a direct browser-to-Google call. If you are curious about the privacy footprint of any of our free tools, the DKIM checker and DMARC checker work the same way: pure client-side DoH queries against Google Public DNS.

Why Google Public DNS
Free, anycast-routed, supported in every browser, no API key required, no rate-limiting that meaningfully bites a single-user tool. Cloudflare 1.1.1.1 would also work; we picked Google because it answers slightly faster from most regions.

Related questions

How do I use the SPF Record Checker tool on Valid Email Checker?
How do I use the DKIM Record Checker tool?
How do I use the DMARC Record Checker tool?
Do I need an account to use the Valid Email Checker free tools?
Back to all FAQs

Still stuck? Email support