Skip to content
Education Host

Tools

SPF Checker

Check the SPF TXT record for a domain and identify common email authentication issues.

This checker looks up the domain's TXT records, finds the v=spf1 record and parses the common mechanisms — includes, IP ranges and the closing all qualifier — flagging issues worth a review.

Education Host runs your check for this request only. It is not stored in a database by this tool, although normal server and security logs may record requests like any other website.

The basics

What is SPF?

SPF (Sender Policy Framework) is a TXT record that lists which servers are allowed to send email for a domain. Receiving mail servers look it up to help decide whether a message genuinely comes from the domain in its envelope sender.

A domain publishes exactly one SPF record, starting with v=spf1, ending with an all mechanism that says how to treat everything not listed.

SPF in brief

  • Published as a TXT record at the root of the domain
  • Starts with v=spf1 — anything else is ignored
  • Lists allowed senders via include, ip4/ip6, a and mx
  • Ends with an all qualifier (-all, ~all, ?all) for everyone else
How it fits

How SPF works with email authentication

When a message arrives, the receiving server checks the connecting server's IP against the SPF record of the domain in the envelope sender. The result — pass, fail, softfail or neutral — feeds into the receiver's filtering decision.

SPF on its own has known gaps: it breaks when mail is forwarded, and it does not protect the From address people actually see. That is why it is normally deployed alongside DKIM signing and a DMARC policy.

Mechanisms

Common SPF mechanisms

The building blocks this checker parses, and what each one does.

v=spf1

The required version tag every SPF record starts with

include:

Pulls in another domain's SPF record — usually your email provider's

ip4: / ip6:

Allows a specific IP address or range to send

a / mx

Allows the domain's own A-record hosts or mail servers

exists:

Allows senders when a constructed domain name resolves

redirect=

Hands the whole evaluation to another domain's record

-all / ~all

Fail or softfail everything not listed — the usual endings

?all / +all

Neutral or allow-anyone endings — +all defeats the point of SPF

SPF, DKIM & DMARC

SPF is one third of email authentication

SPF says which servers may send, DKIM cryptographically signs messages, and DMARC ties both to the visible From address and tells receivers what to do when they fail.

Checking SPF is a good first step — but test it alongside DKIM and DMARC before drawing conclusions about a domain's email authentication. You can check the domain's DMARC policy with the Education Host DMARC checker.

SPF checker — frequently asked questions

Answers to common questions about SPF records, mechanisms and email authentication.

What is an SPF record?
An SPF record is a TXT record that lists which servers are allowed to send email for a domain. Receiving mail servers check it to help decide whether a message genuinely comes from the domain it claims.
How do I check an SPF record?
Enter a domain in the checker above — it looks up the domain's TXT records and shows the v=spf1 record, its parsed mechanisms and any common issues worth reviewing.
What does v=spf1 mean?
v=spf1 is the version tag every SPF record must start with. TXT records that do not begin with it are ignored by receiving mail servers.
What does include mean in SPF?
include: pulls another domain's SPF record into yours — typically your email provider's, such as include:spf.protection.outlook.com. It lets the provider manage the list of sending servers for you.
What does -all mean?
-all is a hard fail: mail from servers not listed in the record should be rejected. It is the strictest way to end an SPF record.
What does ~all mean?
~all is a soft fail: mail from unlisted servers should be treated with suspicion — typically junked rather than rejected. It is a common choice while a record is being tested.
Can a domain have more than one SPF record?
No. A domain must publish exactly one SPF record — receivers treat multiple v=spf1 records as a permanent error, which can cause legitimate mail to fail.
Is SPF enough without DKIM and DMARC?
No. SPF alone breaks on forwarding and does not protect the visible From address. It works best alongside DKIM signing and a DMARC policy, which you can check with the Education Host DMARC checker.
Can Education Host help fix SPF records?
Yes. Education Host supports DNS and email configuration for education organisations, and can help review and correct SPF, DKIM and DMARC records.
Does Education Host store SPF checks?
This tool runs your check for the current request and does not store it in a database. Normal server and security logs may record requests like any other website.