SPF Checker

A tool to analyze and debug SPF records for any domain.

Overview

The SPF Checker parses your domain's SPF record, recursively resolves all include references, and gives you a complete picture of your sending authorization:

Full SPF record parsing and validation
Recursive include expansion with tree visualization
DNS lookup counting against the RFC 7208 limit of 10
IP address flattening across all includes
Automatic detection of known email providers
Shareable results with permanent links

The SPF Checker is available in the dashboard under Tools > SPF Checker. Results can be saved and shared via permanent links that anyone can view without an account.

How It Works

Enter a domain name in the search field
MailShield looks up the domain's SPF TXT record and parses it
All include, redirect, a, mx, and exists mechanisms are resolved recursively
Results are displayed with validation errors, warnings, and a full breakdown

TIP

The URL updates to ?domain=example.com when you run a check, so you can bookmark or share the search directly.

What You See

Status Header

A summary card showing:

Domain checked
Valid / Invalid / Not Found status badge
Default policy (-all, ~all, +all, ?all)
SPF version
Mechanism count and record length
Detected providers (Google Workspace, Microsoft 365, SendGrid, etc.)

DNS Lookup Counter

SPF has a hard limit of 10 DNS lookups per evaluation (RFC 7208). The counter shows:

Lookups	Status
0–7	OK (green)
8–10	Warning (yellow)
Over 10	Error (red) — record will fail for some receivers

A per-mechanism breakdown shows exactly which mechanisms contribute lookups.

Errors and Warnings

Errors indicate the record is invalid or will cause delivery failures
Warnings highlight issues that could cause problems but don't break the record

Include Expansion Tree

A recursive accordion showing every included SPF domain:

Validity status per include
Provider identification (e.g., Google Workspace, SendGrid)
IP addresses authorized by each include
Nested includes expanded recursively
Lookup count contribution per branch

Mechanisms Table

An ordered table of all mechanisms in the record:

Column	Description
Prefix	`+` (pass), `-` (fail), `~` (softfail), `?` (neutral)
Mechanism	`include`, `a`, `mx`, `ip4`, `ip6`, `exists`, `redirect`
Value	The domain or IP range
Lookups	DNS lookups consumed by this mechanism

Each mechanism can be expanded to show resolved hosts.

Authorized Senders (IP Summary)

A flattened list of every IPv4 and IPv6 address or range authorized by the full SPF tree. Includes:

Total / IPv4 / IPv6 counts
Collapsible IP list with copy-all button

Detected Providers

The checker automatically identifies these email services when found in the SPF tree:

Provider	Detection
Google Workspace	`_spf.google.com`
Microsoft 365	`spf.protection.outlook.com`
SendGrid	`sendgrid.net`
Amazon SES	`amazonses.com`
Mailchimp	`servers.mcsv.net`
Mailgun	`mailgun.org`
Postmark	`spf.mtasv.net`
HubSpot	`hubspot.com` includes
Zendesk	`mail.zendesk.com`
Salesforce	`salesforce.com` includes
Zoho	`zoho.com` includes
Cloudflare	`cloudflare.net` includes

Run a check for any domain
Click Share Results to save the result permanently
A share link is generated (e.g., https://app.mailshield.app/s/spf/abc1234567)
Anyone with the link can view the result — no account required

Shared results show the check timestamp and a read-only view of the full analysis.

TIP

Sharing is useful for sending SPF analysis to colleagues or clients who don't have a MailShield account.

Common Issues

Too Many DNS Lookups

Problem: SPF record exceeds the 10-lookup limit.

Each include, a, mx, redirect, and exists mechanism consumes at least one lookup. Nested includes add up quickly.

Fix:

Remove unused includes for services you no longer use
Replace include mechanisms with ip4/ip6 ranges where the IPs are stable
Consider SPF flattening (but be aware it requires maintenance when provider IPs change)

Missing `-all`

Problem: Record uses ~all (softfail) or ?all (neutral) instead of -all (hardfail).

Fix:

v=spf1 include:_spf.google.com -all

Move to -all once you've confirmed all legitimate senders are included. Use DMARC reports to verify before switching.

Duplicate Mechanisms

Problem: The same include or IP range appears more than once, wasting DNS lookups.

Fix: Remove the duplicate entry. The checker flags duplicates automatically.

No SPF Record

Problem: Domain has no SPF TXT record at all.

Fix: Add a minimal SPF record. If the domain doesn't send email:

v=spf1 -all

API Access

The SPF Checker is available as an internal API endpoint (not part of the public v1 API).

Check a Domain

bash

curl -X POST https://app.mailshield.app/api/spf-checker \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com"}'

To save the result for sharing:

bash

curl -X POST https://app.mailshield.app/api/spf-checker \
  -H "Content-Type: application/json" \
  -d '{"domain": "example.com", "save": true}'

Response

json

{
  "domain": "example.com",
  "record": "v=spf1 include:_spf.google.com -all",
  "valid": true,
  "version": "spf1",
  "allPolicy": "-all",
  "mechanisms": [...],
  "includeTree": [...],
  "lookupBreakdown": [...],
  "totalLookupCount": 4,
  "flattenedIps": ["192.0.2.0/24", "2001:db8::/32"],
  "detectedProviders": ["Google Workspace"],
  "recordLength": 38,
  "errors": [],
  "warnings": [],
  "shareId": null,
  "shareUrl": null
}

When save: true, the response includes shareId and shareUrl with the permanent link.

SPF Checker ​

Overview ​

How It Works ​

What You See ​

Status Header ​

DNS Lookup Counter ​

Errors and Warnings ​

Include Expansion Tree ​

Mechanisms Table ​

Authorized Senders (IP Summary) ​

Detected Providers ​

Sharing Results ​

Common Issues ​

Too Many DNS Lookups ​

Missing -all ​

Duplicate Mechanisms ​

No SPF Record ​

API Access ​

Check a Domain ​

Response ​

Next Steps ​