What does an SPF record do?
SPF, the Sender Policy Framework, lets a domain publish a list of servers authorized to send mail on its behalf. Receiving servers read the SPF record during message delivery and decide whether to accept, mark as suspicious, or reject mail that fails the check. Without SPF, anyone can spoof your domain in the From envelope, which leads to phishing, brand damage, and deliverability problems for legitimate mail.
What do the SPF mechanisms like include, a, mx, and ip4 mean?
Each mechanism adds servers to the authorized list. ip4 and ip6 take a literal address or range, a authorizes the domain's own A records, mx authorizes its mail servers, and include pulls in another domain's SPF, often used for SaaS vendors. The qualifiers +, -, ~, and ? mean pass, fail, soft fail, and neutral. The checker parses every mechanism and shows what each one resolves to.
Why do I keep hitting the ten DNS lookup limit?
SPF caps the number of DNS lookups required to evaluate a record at ten, including everything pulled in via include, a, mx, ptr, and exists. Stack a few SaaS senders and you exceed the limit, which causes a permerror and breaks delivery. Solutions include flattening SPF, removing unused vendors, or using an SPF management service that resolves and consolidates the includes for you.
What is the difference between -all and ~all?
-all is a hard fail, instructing receivers to reject mail from servers not listed. ~all is a soft fail, suggesting receivers accept the mail but mark it suspicious. Most domains start with ~all while testing and move to -all once confident no legitimate sender is missing. The checker highlights which qualifier is in use so you can confirm the policy strength matches your intent.
Can a domain have more than one SPF record?
No. RFC 7208 explicitly forbids multiple SPF records on a single domain, and receivers will treat the configuration as permerror. Combine all senders into one TXT record starting with v=spf1. This is one of the most common SPF mistakes the checker flags. If you find duplicates from different vendors, merge their includes into a single record before going live.
Does SPF alone protect my domain from spoofing?
No. SPF only validates the envelope sender, not the visible From header users actually see. Attackers can pass SPF using their own domain while displaying yours in the message. To close that gap, pair SPF with DKIM and DMARC, where DMARC enforces alignment between the From header and the SPF or DKIM-validated identity. Use the dedicated DMARC and DKIM checkers alongside this one.
