SPF record checker

SPF (Sender Policy Framework) lists the servers allowed to send mail for a domain. Enter a domain to validate its SPF record: the syntax, the final all-qualifier, and whether it stays within the DNS lookup limit.

Runs the full report, including this check.

What the SPF check covers

Why the all-qualifier matters

The all-qualifier tells receivers what to do with mail from servers not listed. A hardened setup uses -all or ~all. A record ending in +all authorizes the whole internet and offers no protection, so scan.mx caps the grade when it sees a weak qualifier.

Frequently asked questions

Should SPF end in -all or ~all?
Both are acceptable. -all (hard fail) tells receivers to reject unlisted senders; ~all (soft fail) tells them to accept but mark as suspicious. Use ~all while rolling out and move to -all once DMARC reports confirm all legitimate sources are covered.
What is the SPF 10-lookup limit?
SPF evaluation may perform at most 10 DNS lookups (include, a, mx, ptr, exists, redirect). Going over produces a permerror and SPF is treated as if it were absent. Flatten nested includes or consolidate senders to stay under it.