Email · DNS · Sender authorization

SPF check

Q: Can a domain have more than one SPF record?

No. A domain should have only one SPF record starting with v=spf1. Multiple SPF records make the SPF configuration invalid.

Q: What is the difference between -all and ~all?

-all means a strict SPF fail when the sender does not match the allowed sources. ~all is a softer result where the message is marked as suspicious but is not necessarily rejected based on SPF alone.

Check a domain’s SPF record and see which servers are authorized to send email on behalf of the domain.

An SPF record is published as a DNS TXT record. A domain should have only one TXT record starting with v=spf1.

Enter a domain and start the check.

Guide · SPF and sender authorization

What does this SPF check do?

The SPF check shows whether a domain has published an SPF record and which servers are authorized to send email on behalf of that domain. SPF is published as a DNS TXT record and starts with v=spf1.

SPF is one of the basic mechanisms of email authentication. It does not solve all forms of email spoofing by itself, but it helps receiving mail systems evaluate whether a message came from an authorized sending source.

v=spf1

An SPF record always starts with v=spf1. A domain should have only one SPF record with this prefix.

include

The include: mechanism can be used to include the sending servers of an email service provider.

ip4 and ip6

ip4: and ip6: authorize specific IPv4 or IPv6 addresses to send email.

all mechanism

Records often end with -all, ~all, ?all or +all, which defines the final result.

Why does SPF matter?

SPF helps prevent unauthorized servers from sending email on behalf of a domain. When SPF is configured correctly, a receiving mail server can check whether the sending server belongs to the allowed sources.

SPF also matters for DMARC. DMARC can use the SPF result when the SPF identity aligns with the visible From domain. For that reason, SPF should be configured together with DKIM and DMARC.

How to interpret the result

A good SPF result means that the domain has exactly one SPF record and that it includes only the required sending sources. A record that is too broad may allow unnecessary senders, while a record that is too strict may prevent legitimate messages from passing SPF.

In production, -all is usually the clearest and strictest result if all legitimate sending sources are known. ~all is a softer option that can be useful during rollout. +all is generally not recommended, because it effectively allows all senders.

Frequently asked questions

Can a domain have more than one SPF record?

No. A domain should have only one SPF record starting with v=spf1. Multiple SPF records make the SPF configuration invalid.

What is the difference between -all and ~all?

-all means a strict SPF fail when the sender does not match the allowed sources. ~all is a softer result where the message is marked as suspicious but is not necessarily rejected based on SPF alone.

Is SPF enough to protect against email spoofing?

Not completely. SPF is an important part of the setup, but it should be used together with DKIM and DMARC for stronger protection and better trust.