Free account

Keep your requests in reach

Create an account in under 30 seconds to keep 6 months of history, share saved requests, and trigger email or webhook alerts on every diff.

  • 6-month searchable history
  • Diff alerts via email & webhook
  • Latency spike monitoring
Create account

SPF record inspector

How to make the most of the SPF record inspector

Collect the domain you want to test and pick the resolver or DoH endpoint if you need to reproduce a specific path. The tool queries TXT records, highlights SPF policies and exposes lookup warnings before they turn into hard failures.

Prepare the domain

Enter the exact domain used in the envelope sender or HELO/EHLO greeting. The inspector fetches all TXT answers and keeps only those starting with v=spf1.

Validate changes quickly

Run the check after every modification: new include, IP4/IP6 ranges or redirects. Compare resolvers to ensure caching layers and public services observe the same TXT payload.

Decode diagnostics instantly

Warnings reveal lookup limits, duplicate mechanisms or weak endings such as +all. Error badges point to missing SPF records, CNAME chains or DNS failures.

Why inspect an SPF record?

Sender Policy Framework determines which servers can send mail for your domain. Monitoring the published record is essential when providers add new ranges or when multiple teams update the policy simultaneously. The inspector queries DNS live, decodes each mechanism and flags misconfigurations before recipients reject messages.

When should you launch an inspection?

  • Provider onboarding: confirm their include chain resolves correctly and does not exceed lookup limits.
  • Incident response: understand why a receiving server reports SPF fail or permerror for a campaign.
  • Change control: document every adjustment to the TXT record and ensure the expected mechanism order is preserved.

What happens during the analysis?

The tool requests TXT responses, filters SPF entries and expands includes when possible. It counts DNS lookups, examines mechanisms (ip4, ip6, a, mx, exists, ptr) and modifiers (redirect=, exp=). Each child record gets its own report so you can track where a lookup failed or where the budget of 10 queries is spent.

Diagnostics returned by the API

  • Resolution issues — non-NOERROR RCODEs, missing TXT answers or TXT without v=spf1 raise lookup_bad_rcode, lookup_no_txt or lookup_no_spf. Multiple SPF strings or a CNAME in the path are flagged separately.
  • Syntax validation — empty records, unknown or duplicated mechanisms/modifiers, invalid tag syntax, missing operand values and deprecated exp modifiers surface explicit codes so you know which term to fix.
  • Lookup pressure — the checker reports total DNS queries, loops and void responses. lookup_limit_exceeded, lookup_hard_limit_exceeded, void_lookup_limit_exceeded and lookup_cycle highlight the exact cause of a future permerror.
  • Quality warnings — permissive endings (+all), neutral qualifiers and heavy use of include generate warnings without blocking publication, helping you plan hardening.

Using the form

  1. Type the domain exactly as published in DNS.
  2. Submit the request to gather all TXT answers.
  3. Review the raw SPF policies first, then open the detailed analysis cards to inspect mechanisms and warnings.

Go further

Combine the inspector with the SPF syntax validator to test drafts before publication. Once the record is live, monitor DMARC aggregate reports to catch regressions, and schedule periodic lookups to detect upstream changes from third-party senders.