Free SPF Syntax Validator

What this validates beyond a basic SPF check

If all you need is "does my domain have SPF and what does it say," use our SPF Record Checker — it does a quick TXT lookup and parses the mechanisms. If you're publishing a NEW SPF record, our SPF Record Generator builds one for you with the right `include:` for Google, Microsoft, Mailchimp, SendGrid, and others.

This tool — the validator — goes deeper. It recursively resolves every `include:` chain to count your DNS lookups against the RFC 7208 limit of 10, scores your record against 8 best-practice checks, suggests specific fixes when something's wrong, and offers one-click flattening to compress over-limit records into a single flat list of IPs.

The 10-DNS-lookup limit (and why it breaks email)

RFC 7208 §4.6.4 says receiving mail servers must NOT perform more than 10 DNS lookups while evaluating an SPF record. Each `include:`, `a`, `mx`, `exists`, `ptr`, and `redirect` mechanism counts as one. Hit 11 and the receiver returns a PermError — SPF is treated as if it doesn't exist for your domain.

This breaks more email than you'd think. A typical fast-growing company starts with one `include:_spf.google.com` (4 nested lookups), adds `include:spf.mandrillapp.com` for transactional mail (3 more), then `include:_spf.salesforce.com` for sales sequences (4 more). That's 11 — your SPF is now broken and you didn't change a thing. The provider made the change inside their own record.

How to read your SPF record

A typical SPF record looks like this:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:mailchimp.com -all

Decoded left to right:

• `v=spf1` — version header. Required. Receivers see this and know to parse the rest as SPF.
• `ip4:203.0.113.0/24` — authorizes the /24 block. Zero DNS lookups.
• `include:_spf.google.com` — delegates to Google's SPF record. Counts as 1 lookup at this level, plus whatever's nested inside Google's record.
• `include:mailchimp.com` — same idea, for Mailchimp.
• `-all` — terminal mechanism. The `-` means Fail: anyone NOT listed above gets rejected.

The four `all` qualifiers — and which to use

Practical path: start with `~all` for the first week to confirm legitimate senders aren't being flagged, then tighten to `-all`. Avoid `?all` — it gives receivers no actionable info. Never `+all`.

Why `+all` is dangerous

We've seen real attacks where a misconfigured SPF with `+all` let spammers send phishing email AS the company's domain to its own customers. Receivers checked SPF, saw `+all` (allow anyone), and delivered the spoofed email to the inbox.

`+all` defeats the entire point of SPF. If you ever see it on a domain you control, it almost certainly got pasted in by accident — change it to `-all` or `~all` immediately and check whether anyone exploited the window.

Why `ptr` is deprecated

RFC 7208 §5.5 explicitly recommends against the `ptr` mechanism. It triggers a reverse DNS lookup followed by a forward lookup — slow, easy to fool, and often blocked by network admins as DNS abuse.

Modern receivers (Gmail, Outlook, Yahoo) often skip `ptr` evaluation entirely or treat it as a void lookup. If your SPF uses it, replace it with explicit `ip4:` ranges (or an `include:` of your provider's SPF).

SPF flattening — when to use it, when to avoid it

Flattening means resolving every `include:` in your SPF down to its constituent `ip4:` / `ip6:` mechanisms. The output looks like a long flat list:

v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ... -all

Zero DNS lookups at evaluation time. RFC 7208's 10-lookup limit becomes irrelevant.

The trade-off

Your providers occasionally rotate IPs. Google adds a new /24 to `_spf.google.com`, Mailchimp adjusts its ranges, etc. A normal `include:` automatically picks up the new ranges. A flattened record doesn't — until you re-flatten and republish your DNS.

When to flatten: when you're over the 10-lookup limit and need an immediate fix. Set a calendar reminder to re-validate every 3 months — when providers update their IP lists, you'll catch the drift before delivery suffers.

When NOT to flatten: when you're under the limit. Includes are easier to maintain. Flatten only when forced to by the lookup count.

Multi-provider SPF — combining several senders in one record

A common shape we see: a B2B company sends marketing through Mailchimp, transactional through SendGrid, sales sequences through Outreach, and one-off emails directly from Google Workspace. The SPF needs to authorize all four. The right syntax:

v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com include:outreach.io -all

Order doesn't matter functionally — receivers evaluate left to right but accept the first match. Keep the most-active sender first as a tiny performance optimization (we're talking microseconds, but the convention is real).

Our SPF Record Generator handles the syntax of combining multiple providers if you'd rather build the record interactively than write it by hand.

SPF, DKIM, DMARC — how they fit together

SPF on its own isn't enough. The full deliverability stack is three records working together:

• SPF (this tool's focus) — says "these IPs / providers are authorized to send mail for my domain."
• DKIM — cryptographically signs each outgoing message so receivers can verify it wasn't tampered with. Check yours with our DKIM Record Checker.
• DMARC — tells receivers what to do when SPF or DKIM fails (reject, quarantine, or just monitor), and where to send compliance reports. Audit yours with our DMARC Record Checker.

All three need to be set up correctly for Gmail and Yahoo's bulk-sender requirements (2024+). Missing or broken SPF cascades into DMARC failures, which cascades into deliverability problems. Run this validator first, then check DKIM, then check DMARC.