SPF record lookup

SPF (Sender Policy Framework) is a TXT record listing servers authorized to send mail for a domain. Receivers check it during delivery. Misconfigured SPF = legit mail rejected; missing SPF = your mail looks spoofable.

intermediate TXT (SPF)

How to look it up

Four ways to query — pick by what's available on your machine.

digdig TXT example.com +short | grep spf1

dotdigdotdig spf example.com

spf-toolspfquery --scope=mfrom --identity=test@example.com --ip=1.2.3.4

Sample response

"v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all"

Format

Always starts with `v=spf1`. Qualifiers: `+pass` (default), `-fail` (hard fail), `~softfail`, `?neutral`. Ends with all-policy: `-all` strict, `~all` soft, `+all` insecure.

Common pitfalls

WARNING: SPF has a 10-DNS-lookup limit (RFC 7208 §4.6.4). Each `include:`, `a`, `mx`, `exists` mechanism counts. Excess = SPF permerror = mail rejected.
`+all` is a critical misconfig: it allows ANY server to send as you. Always end with `-all` or `~all`.
Adding `include:_spf.google.com` adds whatever Google currently has — they can blow past your 10-lookup budget without warning. Audit periodically.

Why it matters for security

security relevance SPF prevents trivial spoofing. Without SPF (or with `+all`), attackers can forge mail from your domain and bypass receiver checks. Combine with DKIM signing + DMARC policy.

Use cases

Email deliverability debugging (mail going to spam)
Onboarding new transactional mail provider
Audit before DMARC rollout
Phishing investigation

Look up DNS without flag soup

dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.

Open dotdig

Related DNS lookups

SOA · CAA · MX · NS · ↗ validate sender email format