Why inspect a published SPF record?
The SPF (Sender Policy Framework) record published in your DNS defines which servers can send emails for your domain. But once published, it can change without your knowledge: providers modifying their includes, lookup limits reached, incomplete DNS propagation.
Three main use cases:
- After publishing -> Verify that DNS returns your SPF and includes resolve correctly
- Deliverability diagnosis -> Identify why recipients see SPF fail or permerror
- Periodic audit -> Detect drift (increasing lookups, deprecated includes)
SPF Inspector vs Syntax Validator
| Criteria | Syntax Validator | SPF Inspector |
|---|---|---|
| When to use | BEFORE publishing | AFTER publishing |
| Data source | Manually pasted text | Live DNS |
| Include resolution | No (syntax only) | Yes (fully recursive) |
| Lookup counting | Estimated | Real (with resolution) |
| DNS error detection | No | Yes (NXDOMAIN, timeout, CNAME) |
Recommended workflow:
- Write your SPF
- Validate syntax with the SPF Validator
- Publish to your DNS
- Inspect with this tool to confirm propagation and real lookup count
What exactly does the inspector analyze?
Live DNS resolution
The inspector queries DNS to retrieve:
- All TXT records for the domain
- Filtering of records starting with
v=spf1 - Detection of anomalies (multiple SPF, CNAME in path)
Recursive include expansion
For each include: encountered, the tool:
- Resolves the target domain
- Retrieves its SPF record
- Counts the lookup against the budget of 10
- Repeats recursively until final mechanisms
Example resolution tree:
captaindns.com
├── include:_spf.google.com (1 lookup)
│ ├── include:_netblocks.google.com (2 lookups)
│ ├── include:_netblocks2.google.com (3 lookups)
│ └── include:_netblocks3.google.com (4 lookups)
└── include:servers.mcsv.net (5 lookups)
└── ip4:205.201.128.0/20 (no lookup)
Returned diagnostics
| Code | Description | Severity |
|---|---|---|
lookup_no_spf | No SPF record found | Error |
lookup_bad_rcode | DNS error (NXDOMAIN, SERVFAIL) | Error |
lookup_multiple_spf | Multiple SPF records | Error |
lookup_limit_exceeded | More than 10 DNS lookups | Error |
lookup_cycle | Reference loop detected | Error |
void_lookup_limit_exceeded | More than 2 void responses | Error |
permissive_all | Policy +all (allows everyone) | Warning |
softfail_all | Policy ~all without hardening | Warning |
Concrete use cases
Case 1: Post-publication verification
Situation: You just published a new SPF for captaindns.com.
Action: Run the inspection to verify:
- ✅ The record is visible in DNS
- ✅ All includes resolve correctly
- ✅ Total lookups stay under 10
Case 2: SPF failure diagnosis
Symptom: Recipients see SPF fail on your emails.
Diagnosis: The inspector reveals:
- The sending server (IP 203.0.113.50) isn't in the SPF
- The provider's include changed without notification
Action: Add the IP or update the include.
Case 3: Mysterious permerror
Symptom: Intermittent SPF permerror on some recipients.
Diagnosis: The inspector counts 11 lookups:
captaindns.com: 11 lookups (limit: 10)
├── include:_spf.google.com (4 lookups)
├── include:spf.protection.outlook.com (3 lookups)
├── include:amazonses.com (2 lookups)
└── include:sendgrid.net (2 lookups)
Action: Replace some includes with direct ip4/ip6, use a dedicated subdomain, or flatten your SPF with the SPF Flattener.
Case 4: Periodic security audit
Situation: Quarterly email configuration audit.
Verification:
- SPF uses
-all(hard fail) not~all(soft fail) - No includes to abandoned domains
- IP ranges match active servers
- Lookup counter has safety margin (≤8 recommended)
FAQ - Frequently asked questions
Q: What's the difference between the SPF inspector and the syntax validator?
A: The syntax validator checks an SPF record BEFORE publishing (offline, pasted text). The inspector analyzes an ALREADY PUBLISHED SPF by querying DNS live and recursively resolving all includes.
Q: How many DNS lookups are allowed for SPF?
A: RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include, a, mx, ptr, and exists counts. The inspector displays the real total after recursive resolution.
Q: Why does my SPF show "permerror"?
A: A permerror occurs when:
- More than 10 DNS lookups
- Reference loop (A includes B which includes A)
- Invalid syntax
- More than 2 void DNS responses
The inspector identifies the exact cause.
Q: How does the tool resolve includes?
A: The inspector follows each include: recursively: it retrieves the target domain's SPF, counts the lookup, and repeats until final mechanisms (ip4, ip6) or the limit is reached.
Q: Can I test with different DNS resolvers?
A: Yes. Choose Google (8.8.8.8), Cloudflare (1.1.1.1), or a custom resolver to verify propagation and confirm all servers see the same policy.
Q: What if the inspector doesn't find an SPF?
A: Check in your DNS interface that:
- A TXT record exists
- It starts with
v=spf1 - There's only one SPF (multiple = permerror)
- DNS propagation is complete (can take up to 48h)
Q: Does the inspector also validate syntax?
A: Yes, the inspector validates the syntax of each SPF encountered. But to test a draft BEFORE publishing, use the SPF Syntax Validator.
Complementary tools
| Tool | Purpose |
|---|---|
| SPF Generator | Create an SPF record with pre-configured providers |
| SPF Flattener | Flatten your SPF to stay under the 10 DNS lookup limit |
| SPF Syntax Validator | Test syntax BEFORE publishing |
| DKIM Inspector | Validate your DKIM signature |
| DMARC Inspector | Configure and test your DMARC policy |
| Email Header Analyzer | Diagnose SPF/DKIM/DMARC on a received email |
Useful resources
- RFC 7208 - Sender Policy Framework (official SPF specification)
- Google - Set up SPF (Google Workspace guide)
- Microsoft - SPF for Microsoft 365 (Outlook/M365 guide)