Free SPF checker

Is your SPF record about to silently fail?

SPF has a hard 10-lookup limit that almost nobody tracks. Go over it, and some mail servers reject your email with no warning. We count your lookups for you.

How the lookup count is calculated

We fetch your domain's SPF record (the TXT record starting with v=spf1), then walk every include: mechanism recursively — because an included record can include others, and all of those count against the same shared limit of 10.

The breakdown below the result shows exactly which part of the chain is contributing lookups, so if you're over the limit, you can see which included provider is the heaviest and decide whether to drop it, flatten it, or push back on whoever asked you to add it.

This check reflects your SPF setup only. A domain can have flawless SPF and still allow spoofed mail if DMARC isn't enforcing alignment — worth checking with our DMARC checker too.

Common questions

What is the SPF 10-lookup limit?+

RFC 7208 caps SPF evaluation at 10 DNS lookups (mechanisms like include, a, mx, ptr, and exists each count). Go over it, and the SPF check is required to return a "permerror" — many mail servers treat that as an outright SPF failure, which can land legitimate mail in spam or get it rejected.

Why is my lookup count so high?+

Every email tool you connect — your CRM, invoicing software, marketing platform, helpdesk — typically asks you to add an include: mechanism to your SPF record. Each include is itself a lookup, and if that included record has its own includes, those count too. It adds up fast without anyone noticing.

How do I fix an SPF record that's over the limit?+

The standard fix is "flattening": resolving all the includes down to their actual IP addresses and listing those directly instead, which removes the lookups those includes were causing. It works, but the IPs of your email providers can change, so a flattened record needs to be re-checked periodically or it silently goes stale.

Does this tool check void lookups too?+

This tool counts the mechanisms that trigger a DNS lookup (include, a, mx, ptr, exists) per RFC 7208. It's built to catch the most common real-world cause of SPF failures — too many includes — rather than every edge case in the spec.

I don't have an SPF record at all — is that better or worse than being over the limit?+

Worse. No SPF record means there's no list at all of who's allowed to send mail for your domain, which is a bigger gap than a record that's merely over-provisioned. Either way, the fix starts with seeing your actual record, which is what this tool shows you.