SPF record checker
SPF (Sender Policy Framework) lists the servers allowed to send mail for a domain. Enter a domain to validate its SPF record: the syntax, the final all-qualifier, and whether it stays within the DNS lookup limit.
Runs the full report, including this check.
What the SPF check covers
- Presence: a single SPF record at the domain apex (multiple SPF records are invalid).
- All-qualifier: whether the record ends in
-all(hard fail),~all(soft fail), or a weak?all/+all. - Lookup limit: SPF allows at most 10 DNS-querying mechanisms; exceeding it makes the record fail (permerror).
Why the all-qualifier matters
The all-qualifier tells receivers what to do with mail from servers
not listed. A hardened setup uses -all or
~all. A record ending in +all authorizes
the whole internet and offers no protection, so scan.mx caps the
grade when it sees a weak qualifier.
Frequently asked questions
Should SPF end in -all or ~all?
Both are acceptable. -all (hard fail) tells receivers to reject unlisted senders; ~all (soft fail) tells them to accept but mark as suspicious. Use ~all while rolling out and move to -all once DMARC reports confirm all legitimate sources are covered.
What is the SPF 10-lookup limit?
SPF evaluation may perform at most 10 DNS lookups (include, a, mx, ptr, exists, redirect). Going over produces a permerror and SPF is treated as if it were absent. Flatten nested includes or consolidate senders to stay under it.