Sender Policy Framework — a DNS record that lists the IP addresses and services authorised to send email from your domain. Receivers check incoming mail against the record to detect spoofing.

SPF, DKIM and DMARC - which do I need?

All three. SPF authorises sending IPs, DKIM signs outgoing messages, DMARC tells receivers what to do when SPF or DKIM fails. Together they form modern email authentication.

What does -all vs ~all do?

-all (hard fail) tells receivers to reject mail from unauthorized sources. ~all (soft fail) tells them to mark it as suspicious but accept. Use -all when you are confident every legitimate sender is listed.

Why does the 10-lookup limit matter?

RFC 7208 caps SPF evaluation at 10 DNS lookups. Records exceeding this silently fail at receivers. Use SPF flattening tools or consolidate include: records to stay under the limit.

Not directly. SPF is email security. But protecting your domain from spoofing protects brand trust and indirectly supports search reputation.

SPF Records Test

The SPF Record Test fetches the SPF (Sender Policy Framework) record published in your domain's DNS and validates its syntax, the list of authorised sending IPs, the lookup count (capped at 10 by RFC), and the qualifier (-all hard fail, ~all soft fail). SPF is one of three core email-authentication mechanisms (alongside DKIM and DMARC) that stop attackers from spoofing your domain in phishing emails — protecting both your users and your sender reputation.

What This Tool Checks

SPF record exists in DNS
Syntactically valid SPF (v=spf1 ...)
Authorised IP ranges and include: lookups
DNS lookup count under the RFC limit of 10
Final qualifier (-all hard fail vs ~all soft fail)
No deprecated mechanisms (ptr, exp)

Why It Matters for SEO

Without SPF, any server on the internet can send mail claiming to be from your domain. Phishing emails impersonating your brand reach users' inboxes, you receive bounce / abuse complaints for emails you did not send, and your sender reputation degrades, hurting deliverability of legitimate mail. SPF is the simplest of the three email-authentication standards and a baseline every domain that sends or owns mail should publish.

How to Fix It

Publish exactly one SPF TXT record listing every IP / service authorised to send mail from your domain. End with -all to hard-fail unauthorised senders. Use include: for SaaS providers (Google Workspace, SendGrid, Mailgun) but watch the 10-lookup cap. Re-test after every change to mail infrastructure.

How It Works

We query the domain's TXT records, locate the SPF entry, parse its mechanisms, and recursively resolve every include: and a: lookup to count the total DNS lookups required to evaluate it. SPF records exceeding 10 lookups silently fail in many receivers.

Common Mistakes to Avoid

No SPF record at all (anyone can spoof your domain)
SPF record exceeds 10 DNS lookups (silently fails)
Soft fail (~all) used when hard fail (-all) would be appropriate
Missing SPF on a parked domain (still spoofable)
Multiple SPF TXT records (conflicting; receivers reject)

Quick Checklist

Exactly one SPF record published
All sending IPs / services listed
Total DNS lookups under 10
Hard fail (-all) at the end
Re-tested after mail infrastructure changes

SPF Records Test

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect