Validate your SPF record syntax and check for common issues like too many DNS lookups, missing includes, or overly permissive policies. Free — no signup required.
What is SPF and Why Does It Matter?
SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets an email, it checks the sender's SPF record to verify the sending server is authorized.
Without SPF, anyone can send emails that appear to come from your domain. This means attackers can impersonate your company in phishing emails, damaging your reputation and putting your customers at risk. Even if you're not being actively targeted, missing SPF records can hurt your legitimate email deliverability — major providers like Gmail and Microsoft 365 use SPF as a signal for spam filtering.
A well-configured SPF record lists all your authorized mail servers (your own servers, plus services like Google Workspace, Microsoft 365, Mailchimp, etc.) and ends with a mechanism that tells receivers what to do with unauthorized senders. The -all mechanism rejects unauthorized senders, while ~all marks them as suspicious.
Frequently Asked Questions
What is SPF and why does my domain need it?
SPF (Sender Policy Framework) is a DNS-based email authentication method that specifies which mail servers are allowed to send email on behalf of your domain. Without SPF, spammers and attackers can forge your domain in the "From" address of emails, leading to phishing attacks and email deliverability problems.
What does "SPF record missing" mean?
It means your domain's DNS does not contain an SPF TXT record. This leaves your domain open to email spoofing — anyone can send email that appears to come from your domain. To fix this, add a TXT record to your DNS starting with "v=spf1" followed by your authorized mail servers and ending with "-all" or "~all".
What is the difference between ~all and -all in SPF?
"~all" (softfail) tells receiving servers that unauthorized senders should be marked as suspicious but not rejected outright. "-all" (hardfail) tells servers to reject emails from unauthorized senders entirely. "-all" provides stronger protection but can cause legitimate emails to be lost if your SPF record is incomplete.
What happens if my SPF record has too many DNS lookups?
The SPF specification limits DNS lookups to 10 per SPF evaluation. If your record exceeds this limit, the SPF check will return a "permerror" and many receiving servers will treat it as a fail. This commonly happens when using many "include:" directives. To fix this, consolidate includes or use IP addresses directly.
Monitor your SPF records continuously
GuardHound watches your DNS records around the clock and alerts you when SPF, DMARC, or DKIM configurations change unexpectedly.
Start Free Monitoring →
Explore More Security Tools
Learn More