How To Perform An SPF Lookup For

Better Email Security

Ensuring the security of your email is vital for safeguarding your domain against threats such as spoofing, phishing, and unauthorized email activities. A highly effective method to confirm the configuration of your domain’s SPF (Sender Policy Framework) is through an SPF lookup. This procedure verifies that only designated servers are permitted to send emails on behalf of your domain, thereby enhancing both security and email deliverability.

In this guide, we will outline the steps to conduct an SPF lookup, highlight its significance, and provide guidance on how to interpret the results to uphold a secure email environment.

What is an SPF Lookup?

An SPF lookup involves examining and retrieving the SPF record associated with a domain to identify the permitted mail servers. This process enables email administrators to validate the correct configuration of their SPF record, thereby ensuring that outgoing emails successfully meet authentication requirements.

Why is SPF Lookup Important?

Performing an SPF lookup offers several benefits:

• Prevents Email Spoofing: Guarantees that only permitted mail servers have the ability to dispatch emails on behalf of your domain.


• Improves Deliverability: Decreases the likelihood of emails being classified as spam or being declined by recipient servers.


• Identifies Errors: Assists in identifying any misconfigurations within your SPF record that may result in issues with email delivery.


• Enhances Compliance: Guarantees compliance with email authentication standards such as DMARC and DKIM. Uncover the wide range of services we offer here.

How to Perform an SPF Lookup

Various approaches exist for verifying your SPF record, including both manual inspections and the utilization of online SPF checking tools.

1. Using an Online SPF Lookup Tool

A straightforward method for conducting an SPF lookup is to utilize online tools that automatically retrieve and assess SPF records. Several dependable tools for SPF lookups are available, including:

• Kitterman SPF Checker (https://www.kitterman.com)


• MXToolbox SPF Lookup (https://mxtoolbox.com)


• Google Admin Toolbox Dig (https://toolbox.googleapps.com/apps/dig/)

Steps to Use an Online SPF Lookup Tool:

• Go to an SPF lookup tool of your choice.


• Enter your domain name (e.g., example.com).


• Click "Check" or "Lookup" to fetch the SPF record.


• Analyze the results, including authorized mail servers and potential errors.

2. Checking SPF Record Using Command Line (Windows, macOS, Linux)

Should you favor a more technical method, you have the option to conduct an SPF lookup utilizing command-line utilities such as nslookup or dig.

Using nslookup (Windows Command Prompt or PowerShell):

• Open Command Prompt or PowerShell.


• Type the following command and press Enter:

nslookup -type=TXT example.com

• Look for the SPF record, which starts with v=spf1.

Using dig (macOS and Linux Terminal):

• Open a terminal.


• Run the following command:

dig TXT example.com

• The SPF record will appear in the output.

3. Using Google Admin Toolbox for Google Workspace Domains

If your domain is utilizing Google Workspace, you have the option to utilize the Google Admin Toolbox Dig tool to verify your SPF record.

• Access the Google Admin Toolbox Dig at https://toolbox.googleapps.com/apps/dig/.


• Input your domain name and choose TXT Record for the query type.


• After that, click on Run Dig to review the SPF record in the results.

How to Interpret SPF Lookup Results

When you retrieve an SPF record, it will look something like this:

v=spf1 include:_spf.google.com include:mailgun.org ip4:192.168.1.1 -all

Here’s what each part means:

• v=spf1: Indicates the version of SPF being used.


• include:_spf.google.com: Enables Google's mail servers to dispatch emails using your domain's identity.


• include:mailgun.org: Authorizes Mailgun as a third-party email sender.


• ip4:192.168.1.1: Specifies an authorized mail server by IP address.


• -all: Enforces strict SPF by rejecting all unauthorized senders.

Common SPF Errors and Fixes

• No SPF Record Found: Should your domain lack an SPF record, please proceed to establish one within your DNS configuration.


• Too Many DNS Lookups (More Than 10): Implement SPF flattening to minimize the number of include statements.


• SPF SoftFail (~all) Instead of HardFail (-all): To ensure a firm rejection of unauthorized emails, modify ~all to -all.


• Multiple SPF Records: It is essential to maintain a single SPF record for each domain, since having multiple records may lead to operational issues.