Validate and debug SPF records for any domain. Enter a domain to see its full SPF lookup tree, DNS lookup count, detected email vendors, and authorized sender IPs. Try domains like netflix.com, openai.com, or anthropic.com.
SPF misconfigurations are one of the top causes of email deliverability failures. Exceeding the 10-lookup limit triggers PermError, causing receivers to reject or spam-folder your mail. Stale includes from vendors you no longer use waste lookups. Overly permissive policies (like +all) expose you to spoofing. DNSai's SPF Analyzer visualizes your entire SPF tree, counts lookups at each level, and identifies exactly which includes are consuming your lookup budget — so you can fix issues before they affect delivery.
When you enter a domain, DNSai queries its SPF TXT record and recursively follows every include:, redirect=, a:, and mx: mechanism. Each lookup is counted against the 10-lookup limit defined in RFC 7208.
The tree view shows the hierarchy of includes with lookup counts at each level. We detect known ESP patterns (like _spf.google.com for Google Workspace) and label them for easy identification.
Sender Sources: We extract all ip4: and ip6: ranges from the entire tree, giving you a complete list of IPs authorized to send email for the domain.
SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and hostnames authorized to send email for your domain. Receiving mail servers check SPF to verify the envelope sender, helping prevent spoofing and phishing. Without a valid SPF record, your emails are more likely to be marked as spam or rejected outright.
RFC 7208 limits SPF evaluation to 10 DNS lookups (include, a, mx, ptr, exists, redirect). Exceeding this limit causes a PermError, which most receivers treat as a fail. Each 'include:' counts as one lookup, plus any nested lookups inside that include. DNSai's SPF Analyzer counts both your direct lookups and nested ones so you can stay under the limit.
SPF macros like %{i}, %{s}, and %{d} are placeholders that expand at evaluation time to the sender IP, sender address, or domain. They enable dynamic SPF policies but add complexity and can break if misconfigured. Most domains don't need macros — use them only when you require per-sender or per-IP policy logic.
Three approaches: (1) Remove unused includes — audit which ESPs you actually use and delete stale ones. (2) Flatten includes by replacing 'include:esp.com' with the actual IP ranges (ip4:/ip6:). (3) Use an SPF flattening service that auto-updates the IPs. Be careful: flattened records need regular updates when ESPs change their IP ranges.
The 'all' mechanism is the default result for IPs not matching earlier rules. '-all' (hard fail) tells receivers to reject unauthorized senders; '~all' (soft fail) marks them suspicious but typically delivers to spam. Best practice is '-all' for production domains and '~all' during migration or testing. '?all' (neutral) and '+all' (pass all) should be avoided.
DNS Explorer — Run bulk DKIM, SPF, and DMARC lookups across thousands of domains. Built for security teams, MSPs, and IT administrators who need to audit email authentication configurations across their entire domain portfolio.
Start free DNS Explorer trial14-day full-feature trial