Tools
SPF Checker
Check the SPF TXT record for a domain and identify common email authentication issues.
This checker looks up the domain's TXT records, finds the v=spf1 record and parses the common mechanisms — includes, IP ranges and the closing all qualifier — flagging issues worth a review.
Education Host runs your check for this request only. It is not stored in a database by this tool, although normal server and security logs may record requests like any other website.
What is SPF?
SPF (Sender Policy Framework) is a TXT record that lists which servers are allowed to send email for a domain. Receiving mail servers look it up to help decide whether a message genuinely comes from the domain in its envelope sender.
A domain publishes exactly one SPF record, starting with v=spf1, ending with an all mechanism that says how to treat everything not listed.
SPF in brief
- Published as a TXT record at the root of the domain
- Starts with v=spf1 — anything else is ignored
- Lists allowed senders via include, ip4/ip6, a and mx
- Ends with an all qualifier (-all, ~all, ?all) for everyone else
How SPF works with email authentication
When a message arrives, the receiving server checks the connecting server's IP against the SPF record of the domain in the envelope sender. The result — pass, fail, softfail or neutral — feeds into the receiver's filtering decision.
SPF on its own has known gaps: it breaks when mail is forwarded, and it does not protect the From address people actually see. That is why it is normally deployed alongside DKIM signing and a DMARC policy.
Common SPF mechanisms
The building blocks this checker parses, and what each one does.
The required version tag every SPF record starts with
Pulls in another domain's SPF record — usually your email provider's
Allows a specific IP address or range to send
Allows the domain's own A-record hosts or mail servers
Allows senders when a constructed domain name resolves
Hands the whole evaluation to another domain's record
Fail or softfail everything not listed — the usual endings
Neutral or allow-anyone endings — +all defeats the point of SPF
SPF is one third of email authentication
SPF says which servers may send, DKIM cryptographically signs messages, and DMARC ties both to the visible From address and tells receivers what to do when they fail.
Checking SPF is a good first step — but test it alongside DKIM and DMARC before drawing conclusions about a domain's email authentication. You can check the domain's DMARC policy with the Education Host DMARC checker.
Related tools
Part of a growing set of free Education Host checks.
IP Address Checker
See the public IP address your browser is using to reach this website.
Check your IP addressDNS Checker
Check DNS records for a domain, from A and MX to TXT, CAA and PTR.
Check DNS recordsBlacklist Checker
Check whether an IP address appears on common DNS-based email blacklists.
Check blacklist statusIP Lookup
Look up technical details for an IP address, including classification and reverse DNS.
Look up an IP addressDMARC Checker
Check whether a domain has a DMARC record and review the published policy.
Check a DMARC recordWhois Lookup
Look up public domain registration information where available.
Run a Whois lookupSPF checker — frequently asked questions
Answers to common questions about SPF records, mechanisms and email authentication.
- What is an SPF record?
- An SPF record is a TXT record that lists which servers are allowed to send email for a domain. Receiving mail servers check it to help decide whether a message genuinely comes from the domain it claims.
- How do I check an SPF record?
- Enter a domain in the checker above — it looks up the domain's TXT records and shows the v=spf1 record, its parsed mechanisms and any common issues worth reviewing.
- What does v=spf1 mean?
- v=spf1 is the version tag every SPF record must start with. TXT records that do not begin with it are ignored by receiving mail servers.
- What does include mean in SPF?
- include: pulls another domain's SPF record into yours — typically your email provider's, such as include:spf.protection.outlook.com. It lets the provider manage the list of sending servers for you.
- What does -all mean?
- -all is a hard fail: mail from servers not listed in the record should be rejected. It is the strictest way to end an SPF record.
- What does ~all mean?
- ~all is a soft fail: mail from unlisted servers should be treated with suspicion — typically junked rather than rejected. It is a common choice while a record is being tested.
- Can a domain have more than one SPF record?
- No. A domain must publish exactly one SPF record — receivers treat multiple v=spf1 records as a permanent error, which can cause legitimate mail to fail.
- Is SPF enough without DKIM and DMARC?
- No. SPF alone breaks on forwarding and does not protect the visible From address. It works best alongside DKIM signing and a DMARC policy, which you can check with the Education Host DMARC checker.
- Can Education Host help fix SPF records?
- Yes. Education Host supports DNS and email configuration for education organisations, and can help review and correct SPF, DKIM and DMARC records.
- Does Education Host store SPF checks?
- This tool runs your check for the current request and does not store it in a database. Normal server and security logs may record requests like any other website.
