Skip to main content

New

Test your email deliverability

Send a test email and get a complete diagnosis of your SPF, DKIM and DMARC authentication in seconds.

  • Real send test
  • Instant diagnosis
  • No signup required
Run the test

SPF Validator

Validate SPF syntax before publishing - fix errors in seconds

How do you fix SPF syntax errors? Paste your SPF record below to validate syntax, detect invalid mechanisms, and get actionable fix recommendations.

Complete syntax analysis

Verification of v=spf1 structure, mechanisms (ip4, mx, include) and modifiers (redirect, exp). Each term is validated individually.

Critical error detection

Identify unknown terms, missing values, duplicates and stray characters that would break your policy.

DNS lookup counter

Visualize the number of DNS lookups (include, mx, a, ptr, exists). Maximum 10 allowed per RFC 7208.

Security warnings

Flag weak qualifiers (?all, +all) and permissive policies that weaken your anti-spoofing protection.

Actionable recommendations

Get precise advice for each error: correct syntax, recommended alternatives, RFC best practices.

Why validate SPF syntax before publishing?

A malformed SPF (Sender Policy Framework) record can have immediate consequences: rejected emails, disabled authentication, or worse, a false sense of security. Syntax validation catches these problems before they impact your deliverability.

Three main use cases:

  • New SPF -> Validate structure before first publication
  • SPF modification -> Verify that changes don't introduce errors
  • Deliverability diagnosis -> Confirm that syntax isn't causing rejections

How to use the validator in 3 steps

Step 1: Copy the SPF record

Retrieve your record from:

  • Your DNS interface (GoDaddy, Cloudflare, Route 53, etc.)
  • A DNS lookup tool
  • Directly from your text editor if you're writing it

Expected format:

v=spf1 ip4:203.0.113.0/24 include:_spf.google.com -all

Step 2: Paste into the validator

Paste the complete record into the form above. The tool automatically analyzes:

  • ✅ Base structure (v=spf1)
  • ✅ Mechanisms (ip4, ip6, mx, a, include, exists, ptr)
  • ✅ Modifiers (redirect, exp)
  • ✅ Qualifiers (+, -, ~, ?)
  • ✅ Final directive (all)

Step 3: Fix and publish

The report displays:

  • Errors (red): Blocking issues to fix
  • Warnings (orange): Security risks or best practices
  • Information (blue): Details about the analyzed structure

Fix the errors, then publish to your DNS.

What is SPF syntax?

An SPF record is a character string published in a DNS TXT record. Its syntax follows a precise structure defined by RFC 7208:

v=spf1 [qualifier]mechanism [modifier] ... final_directive

Components:

ElementExamplesRole
Versionv=spf1Required, always first
Qualifier+, -, ~, ?Determines action (pass, fail, softfail, neutral)
Mechanismip4:, mx, include:, a:Defines authorized senders
Modifierredirect=, exp=Additional options
Final directive-all, ~all, ?allDefault action for non-matches

What exactly does the validator analyze?

Syntax errors

Error codeDescriptionImpact
missing_versionMissing v=spf1SPF ignored (permerror)
unknown_mechanismUnrecognized mechanismInvalid SPF
mechanism_missing_valueinclude: without domainInvalid SPF
mechanism_invalid_valueMalformed IP or CIDRInvalid SPF
duplicate_modifierTwo redirect=Invalid SPF
multiple_allMultiple all directivesInvalid SPF

Security warnings

CodeDescriptionRisk
weak_qualifier?all (neutral)No protection
permissive_all+allAuthorizes everyone
softfail_all~all without transition to -allPartial protection

DNS limits

CodeDescriptionRFC limit
lookup_limit_exceededMore than 10 DNS lookups10 max
void_lookup_limit_exceededToo many void responses2 max
lookup_cycleReference loopForbidden

Concrete use cases

Case 1: New domain, first SPF

Situation: You're setting up email for captaindns.com with Google Workspace.

Action: Validate before publishing:

v=spf1 include:_spf.google.com -all

Expected result:

  • ✅ Valid syntax
  • ✅ 1 DNS lookup (under the 10 limit)
  • ✅ Strict final directive (-all)

Case 2: Adding a new marketing service

Situation: You're adding Mailchimp to your existing SPF.

Current SPF:

v=spf1 include:_spf.google.com -all

Modified SPF:

v=spf1 include:_spf.google.com include:servers.mcsv.net -all

Validation: Confirm that the addition doesn't exceed 10 lookups and that the syntax remains valid.

Case 3: "permerror" in production

Symptom: Your emails fail with SPF permerror.

Diagnosis: Paste the record into the validator.

Detected error:

v=spf1 ip4:192.168.1.1 include: -all

Error: mechanism_missing_value - include: without domain.

Fix:

v=spf1 ip4:192.168.1.1 include:_spf.captaindns.com -all

Case 4: Too many DNS lookups

Symptom: The validator shows lookup_limit_exceeded.

Diagnosis: Your SPF has too many includes:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:amazonses.com include:_spf.salesforce.com include:sendgrid.net include:mailchimp.com -all

Solutions:

  1. Replace some includes with direct ip4/ip6
  2. Use a dedicated subdomain (e.g., marketing.captaindns.com)
  3. Remove unused services
  4. Use our SPF Flattener to automatically resolve includes into IPs

FAQ - Frequently asked questions

Q: What is an SPF record?

A: SPF (Sender Policy Framework) is a DNS TXT record that lists servers authorized to send emails for your domain. Format: v=spf1 followed by mechanisms (ip4, mx, include) and a final directive (-all, ~all).

Q: Why validate SPF syntax before publishing?

A: A malformed SPF record generates a permanent error (permerror) that can reject all your emails or completely disable SPF verification. Validating before publishing prevents service interruptions.

Q: What is the DNS lookup limit for SPF?

A: RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include, a, mx, ptr and exists counts. Exceeding this limit generates a permerror and may fail authentication.

Q: What does the qualifier -all vs ~all mean?

A:

  • -all (hard fail): Rejects unauthorized emails
  • ~all (soft fail): Marks as suspicious but accepts

Start with ~all for testing, then switch to -all in production for maximum protection.

Q: How do I fix the "too many DNS lookups" error?

A:

  1. Replace includes with direct ip4/ip6
  2. Remove unused mechanisms
  3. Use subdomains with their own SPF
  4. Avoid ptr (deprecated and costly in lookups)

Q: Can I have multiple SPF records?

A: No. The RFC requires a single SPF record per domain. Multiple records generate a permerror. Merge your policies into one TXT starting with v=spf1.

Q: Does the tool validate included domains?

A: The validator checks the syntax of domains referenced by include and redirect. For complete analysis with DNS resolution and recursive lookup counting, use the SPF Inspector.

Complementary tools

ToolPurpose
SPF InspectorAnalyze a published SPF with complete DNS resolution
SPF FlattenerFlatten your SPF to stay under the 10 DNS lookup limit
DKIM InspectorValidate your DKIM signature
DMARC InspectorConfigure and test your DMARC policy
Email Header AnalyzerDiagnose SPF/DKIM/DMARC on a received email

Useful resources