Skip to main content
Log in
CaptainDNS

Email Diagnostics

Tools to verify and validate your email authentication setup.

SPF
DKIM
DMARC
DMARCbis
BIMI
MTA-STS
TLS-RPT
DANE / TLSA

Deliverability

Email deliverability auditMail header analyzerEmail testerIP Blacklist CheckerDomain Blacklist CheckerSPF FlattenerDKIM Selector FinderSMTP/MX Tester

Secure & Monitor

Record generators, policy hosting and continuous monitoring.

Network & Web

Network tools, web page analysis and certificates.

IP Tools

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

IPv6 subnet calculator

Calculate IPv6 subnets, address ranges and reverse DNS entries.

Certificates & BIMI

BIMI logo lookup

Inspect a BIMI logo URL - format, metadata and live rendering - before rollout.

BIMI SVG converter

Convert any SVG to BIMI-compliant Tiny-PS format in seconds.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate - issuer, validity and SAN coverage - before you publish BIMI.

Web

Page size checker

Check if your page exceeds Google's 2 MB crawl limit.

Phishing URL Checker

Check if a URL is flagged as phishing or malware by 4 threat intelligence sources.

Redirect Checker

Analyze HTTP redirect chains

Domain Redirect

Redirect your domains with automatic HTTPS and 301/302 redirects.

Developer Tools

Text utilities and tools for everyday dev work.

Text

Transform and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Password generator

Generate strong random passwords and memorable passphrases instantly.

Developer

Encoding, hashing, regex and formatting for everyday dev work.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Hash Generator

Compute MD5, SHA-1, SHA-256 and SHA-512 hashes of any text.

URL encoder / decoder

Encode or decode text using percent-encoding (RFC 3986) right in your browser.

Regex Tester

Test a regular expression against text and visualize matches.

JSON / YAML Formatter

Format, validate and convert JSON and YAML in one click.

SPF Checker

SPF check, DNS lookup & IP authorization test - fix SPF failures fast

Why is your SPF failing? Enter your domain for a complete SPF check with DNS lookup, include expansion, and IP authorization verification.

Live DNS lookup

The checker queries DNS in real-time to retrieve your SPF as recipients actually see it.

Recursive expansion

Each include is resolved recursively. Visualize the complete tree of your SPF policy down to the final mechanisms.

Lookup counting

The counter displays the exact number of DNS lookups. The RFC limit is 10 - exceed it and your emails fail.

Error detection

Identify DNS issues (NXDOMAIN, timeout), reference loops, and invalid syntax before they impact deliverability.

IP authorization check

Enter an IP address to check if it's authorized by the published SPF record. Instant result: pass, fail, softfail, or neutral - with the matching mechanism and domain.

Why inspect a published SPF record?

The SPF (Sender Policy Framework) record published in your DNS defines which servers can send emails for your domain. But once published, it can change without your knowledge: providers modifying their includes, lookup limits reached, incomplete DNS propagation.

Three main use cases:

  • After publishing -> Verify that DNS returns your SPF and includes resolve correctly
  • Deliverability diagnosis -> Identify why recipients see SPF fail or permerror
  • Periodic audit -> Detect drift (increasing lookups, deprecated includes)

SPF Inspector vs Syntax Validator

CriteriaSyntax ValidatorSPF Inspector
When to useBEFORE publishingAFTER publishing
Data sourceManually pasted textLive DNS
Include resolutionNo (syntax only)Yes (fully recursive)
Lookup countingEstimatedReal (with resolution)
DNS error detectionNoYes (NXDOMAIN, timeout, CNAME)
IP testNoYes (pass/fail/softfail/neutral)

Recommended workflow:

  1. Write your SPF
  2. Validate syntax with the SPF Validator
  3. Publish to your DNS
  4. Inspect with this tool to confirm propagation and real lookup count

What exactly does the inspector analyze?

Live DNS resolution

The inspector queries DNS to retrieve:

  • All TXT records for the domain
  • Filtering of records starting with v=spf1
  • Detection of anomalies (multiple SPF, CNAME in path)

Recursive include expansion

For each include: encountered, the tool:

  1. Resolves the target domain
  2. Retrieves its SPF record
  3. Counts the lookup against the budget of 10
  4. Repeats recursively until final mechanisms

Example resolution tree:

captaindns.com
├── include:_spf.google.com (1 lookup)
│   ├── include:_netblocks.google.com (2 lookups)
│   ├── include:_netblocks2.google.com (3 lookups)
│   └── include:_netblocks3.google.com (4 lookups)
└── include:servers.mcsv.net (5 lookups)
    └── ip4:205.201.128.0/20 (no lookup)

Returned diagnostics

CodeDescriptionSeverity
lookup_no_spfNo SPF record foundError
lookup_bad_rcodeDNS error (NXDOMAIN, SERVFAIL)Error
lookup_multiple_spfMultiple SPF recordsError
lookup_limit_exceededMore than 10 DNS lookupsError
lookup_cycleReference loop detectedError
void_lookup_limit_exceededMore than 2 void responsesError
permissive_allPolicy +all (allows everyone)Warning
softfail_allPolicy ~all without hardeningWarning

Concrete use cases

Case 1: Post-publication verification

Situation: You just published a new SPF for captaindns.com.

Action: Run the inspection to verify:

  • ✅ The record is visible in DNS
  • ✅ All includes resolve correctly
  • ✅ Total lookups stay under 10

Case 2: SPF failure diagnosis

Symptom: Recipients see SPF fail on your emails.

Diagnosis: The inspector reveals:

  • The sending server (IP 203.0.113.50) isn't in the SPF
  • The provider's include changed without notification

Action: Add the IP or update the include.

Case 3: Mysterious permerror

Symptom: Intermittent SPF permerror on some recipients.

Diagnosis: The inspector counts 11 lookups:

captaindns.com: 11 lookups (limit: 10)
├── include:_spf.google.com (4 lookups)
├── include:spf.protection.outlook.com (3 lookups)
├── include:amazonses.com (2 lookups)
└── include:sendgrid.net (2 lookups)

Action: Replace some includes with direct ip4/ip6, use a dedicated subdomain, or flatten your SPF with the SPF Flattener.

Case 4: Periodic security audit

Situation: Quarterly email configuration audit.

Verification:

  • SPF uses -all (hard fail) not ~all (soft fail)
  • No includes to abandoned domains
  • IP ranges match active servers
  • Lookup counter has safety margin (≤8 recommended)

Case 5: Verify sender IP authorization

Situation: You receive DMARC reports (via DMARC Monitoring) showing SPF failures from a specific IP.

Action: Enter the domain and IP in the inspector.

Diagnosis: The tool reveals:

  • IP 203.0.113.50 isn't covered by any mechanism
  • The include:_spf.google.com mechanism doesn't contain this IP
  • The -all directive rejects the IP

Fix: Add ip4:203.0.113.50 to your SPF or verify the service uses IPs covered by an existing include.

Test an IP against the published SPF

The IP authorization test lets you verify in a single query whether an IP address would be authorized to send emails for a domain. The tool queries DNS live, resolves the complete SPF (includes, redirects), then evaluates each mechanism against the provided IP.

Possible results:

ResultMeaningAction
PassThe IP is explicitly authorizedNothing to do
FailThe IP is explicitly rejected by -allAdd the IP or check the include
SoftfailThe IP is not authorized but ~all doesn't rejectSwitch to -all or add the IP
NeutralNo mechanism matchesAdd the IP if it should be authorized

Typical use cases:

  • Diagnosing SPF failures from DMARC reports
  • Post-migration mail server verification
  • Validating IP coverage for a new sending provider
  • Security audit: identifying uncovered IPs

FAQ - Frequently asked questions

Q: What's the difference between the SPF inspector and the syntax validator?

A: The syntax validator checks an SPF record BEFORE publishing (offline, pasted text). The inspector analyzes an ALREADY PUBLISHED SPF by querying DNS live and recursively resolving all includes.

Q: How many DNS lookups are allowed for SPF?

A: RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include, a, mx, ptr, and exists counts. The inspector displays the real total after recursive resolution.

Q: Why does my SPF show "permerror"?

A: A permerror occurs when:

  1. More than 10 DNS lookups
  2. Reference loop (A includes B which includes A)
  3. Invalid syntax
  4. More than 2 void DNS responses

The inspector identifies the exact cause.

Q: How does the tool resolve includes?

A: The inspector follows each include: recursively: it retrieves the target domain's SPF, counts the lookup, and repeats until final mechanisms (ip4, ip6) or the limit is reached.

Q: Can I test with different DNS resolvers?

A: Yes. Choose Google (8.8.8.8), Cloudflare (1.1.1.1), or a custom resolver to verify propagation and confirm all servers see the same policy.

Q: What if the inspector doesn't find an SPF?

A: Check in your DNS interface that:

  1. A TXT record exists
  2. It starts with v=spf1
  3. There's only one SPF (multiple = permerror)
  4. DNS propagation is complete (can take up to 48h)

Q: Does the inspector also validate syntax?

A: Yes, the inspector validates the syntax of each SPF encountered. But to test a draft BEFORE publishing, use the SPF Syntax Validator.

Complementary tools

ToolPurpose
SPF GeneratorCreate an SPF record with pre-configured providers
SPF FlattenerFlatten your SPF to stay under the 10 DNS lookup limit
SPF Syntax ValidatorTest syntax BEFORE publishing
DKIM InspectorValidate your DKIM signature
DMARC InspectorConfigure and test your DMARC policy
DMARC MonitoringCollect and visualize DMARC aggregate reports for your domains
Email Header AnalyzerDiagnose SPF/DKIM/DMARC on a received email

Useful resources