DNSai SPF Analyzer

Created by: Michael Hansen

Validate and debug SPF records for any domain. Enter a domain to see its full SPF lookup tree, DNS lookup count, detected email vendors, and authorized sender IPs. Try domains like netflix.com, openai.com, or anthropic.com.

SPF misconfigurations are one of the top causes of email deliverability failures. Exceeding the 10-lookup limit triggers PermError, causing receivers to reject or spam-folder your mail. Stale includes from vendors you no longer use waste lookups. Overly permissive policies (like +all) expose you to spoofing. DNSai's SPF Analyzer visualizes your entire SPF tree, counts lookups at each level, and identifies exactly which includes are consuming your lookup budget — so you can fix issues before they affect delivery.

10-lookup limit awareness — we count both direct and nested DNS lookups so you know exactly how close you are to the RFC 7208 limit.
Vendor detection — we identify Google Workspace, Microsoft 365, SendGrid, Mailchimp, and 50+ ESPs from their SPF includes and IP ranges.
Full sender source extraction — we recursively resolve all includes and list every IP/network authorized to send as your domain.

Example Output

Static sample of a live check for dnsai.com, captured June 2026. Run the form above for current results.

Published SPF record

v=spf1 include:_spf.google.com include:mailgun.org ip4:74.48.223.135 ip4:45.76.60.87 -all

Analysis summary

Record status Valid
DNS lookups used 6 of 10 (2 direct + 4 nested) — within limit
Include depth 3 levels
Authorized sender sources 46 (IPs/networks across the full tree)
Vendors detected Google (mail), Mailgun
Macros used 0
Warnings None

Include tree

  • dnsai.com (root)
    • include:_spf.google.com — Google (mail): 2 ip4 + 6 ip6 ranges, ~all
    • include:mailgun.org — Mailgun, -all
      • include:_spf.mailgun.org
        • include:_spf1.mailgun.org — 10 ip4 ranges
        • include:_spf2.mailgun.org — 9 ip4 ranges
      • include:_spf.eu.mailgun.org — 11 ip4 ranges
    • ip4:74.48.223.135
    • ip4:45.76.60.87
    • -all

How SPF Analyzer Works

When you enter a domain, DNSai queries its SPF TXT record and recursively follows every include:, redirect=, a:, and mx: mechanism. Each lookup is counted against the 10-lookup limit defined in RFC 7208.

The tree view shows the hierarchy of includes with lookup counts at each level. We detect known ESP patterns (like _spf.google.com for Google Workspace) and label them for easy identification.

Sender Sources: We extract all ip4: and ip6: ranges from the entire tree, giving you a complete list of IPs authorized to send email for the domain.

SPF Analyzer FAQ

What is SPF and why does it matter?

SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and hostnames authorized to send email for your domain. Receiving mail servers check SPF to verify the envelope sender, helping prevent spoofing and phishing. Without a valid SPF record, your emails are more likely to be marked as spam or rejected outright.

What is the 10-lookup limit in SPF?

RFC 7208 limits SPF evaluation to 10 DNS lookups (include, a, mx, ptr, exists, redirect). Exceeding this limit causes a PermError, which most receivers treat as a fail. Each 'include:' counts as one lookup, plus any nested lookups inside that include. DNSai's SPF Analyzer counts both your direct lookups and nested ones so you can stay under the limit.

What are SPF macros and should I use them?

SPF macros like %{i}, %{s}, and %{d} are placeholders that expand at evaluation time to the sender IP, sender address, or domain. They enable dynamic SPF policies but add complexity and can break if misconfigured. Most domains don't need macros — use them only when you require per-sender or per-IP policy logic.

How do I fix 'too many DNS lookups' in SPF?

Three approaches: (1) Remove unused includes — audit which ESPs you actually use and delete stale ones. (2) Flatten includes by replacing 'include:esp.com' with the actual IP ranges (ip4:/ip6:). (3) Use an SPF flattening service that auto-updates the IPs. Be careful: flattened records need regular updates when ESPs change their IP ranges.

What's the difference between ~all and -all?

The 'all' mechanism is the default result for IPs not matching earlier rules. '-all' (hard fail) tells receivers to reject unauthorized senders; '~all' (soft fail) marks them suspicious but typically delivers to spam. Best practice is '-all' for production domains and '~all' during migration or testing. '?all' (neutral) and '+all' (pass all) should be avoided.