SPF Record Checker

Check SPF DNS records for domains to verify email sending authorization.

What does SPF Record Checker do?

SPF Record Checker queries DNS TXT records for v=spf1 entries and parses them into structured data. It extracts all SPF mechanisms (include, ip4, ip6, a, mx), the default qualifier (pass, fail, softfail, neutral), redirect domains, included domains, IP ranges, and the DNS lookup count. It also checks whether the record exceeds the 10-lookup limit defined in the SPF specification (RFC 7208).

Use it for email deliverability auditing, security validation, DNS lookup monitoring, or verifying SPF setup before launching email campaigns. The structured output makes it easy to identify overly permissive policies, count DNS lookups, and verify that all authorized senders are included.

Use cases

• Email administrators verifying that SPF records correctly authorize all legitimate sending services
• Deliverability consultants auditing SPF configuration across client domains to improve inbox placement
• Security teams checking that SPF records use strict qualifiers (-all) to prevent unauthorized email sending
• DevOps engineers monitoring SPF DNS lookup counts to ensure records stay under the 10-lookup limit
• Marketing operations validating SPF setup before onboarding a new email service provider

Why use SPF Record Checker?

• Deep SPF parsing — extracts every mechanism, qualifier, include, IP range, and redirect
• Lookup count tracking — reports the number of DNS lookups in the SPF chain, helping you stay under the 10-lookup limit
• Qualifier analysis — identifies the all qualifier (pass, fail, softfail, neutral) to assess policy strictness
• Batch processing — check hundreds of domains in a single run
• Structured output — parsed mechanisms and includes ready for filtering, dashboards, or downstream automation
• Pay-per-event pricing — costs scale with actual usage, just $0.001 per domain checked
• IP range extraction — separately lists authorized IPv4 and IPv6 ranges for network-level analysis

Input parameters

Parameter	Type	Required	Default	Description
domains	string[]	Yes	—	List of domains to check for SPF records. Enter bare domain names (e.g., google.com).

Example input

{
    "domains": ["google.com", "github.com", "example.com"]
}

Output example

Each domain produces one result object with the SPF record presence, parsed mechanisms, includes, IP ranges, qualifier, redirect domain, and DNS lookup count.

Field	Description
domain	The queried domain name
hasSpf	Whether an SPF record was found
record	Full raw SPF record text
version	SPF version (always spf1)
mechanisms	Array of parsed mechanisms with qualifier, type, and value
includes	Domains referenced by include: mechanisms
ipv4Ranges	IPv4 address ranges authorized by ip4: mechanisms
ipv6Ranges	IPv6 address ranges authorized by ip6: mechanisms
allQualifier	The all mechanism qualifier (pass, fail, softfail, neutral)
redirectDomain	Domain referenced by the redirect= modifier
lookupCount	Number of DNS lookups in the SPF chain
error	Error message if check failed

{
    "domain": "google.com",
    "hasSpf": true,
    "record": "v=spf1 include:_spf.google.com ~all",
    "version": "spf1",
    "mechanisms": [
        { "qualifier": "+", "mechanism": "include", "value": "_spf.google.com" },
        { "qualifier": "~", "mechanism": "all", "value": null }
    ],
    "includes": ["_spf.google.com"],
    "ipv4Ranges": [],
    "ipv6Ranges": [],
    "allQualifier": "softfail",
    "redirectDomain": null,
    "lookupCount": 1,
    "error": null
}

How to check SPF records for a domain

1. Go to SPF Record Checker on Apify Store
2. Enter one or more domain names in the domains field (e.g., google.com, github.com)
3. Click Start to run the checker
4. Wait for results -- each domain is checked in seconds
5. Review the output for SPF record details, mechanisms, lookup counts, and qualifiers
6. Download results as JSON, CSV, or Excel, or connect via API

How much does it cost to check SPF records?

SPF Record Checker uses Apify's pay-per-event pricing:

Event	Price	Description
Start	$0.035	One-time per run
Domain checked	$0.001	Per domain checked

Examples:

• 10 domains: $0.035 + 10 x $0.001 = $0.045
• 100 domains: $0.035 + 100 x $0.001 = $0.135
• 1,000 domains: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

The Apify API lets you control SPF Record Checker programmatically. Schedule runs, read datasets, manage webhooks, and more. See the Apify API reference for details.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: '<YOUR_API_TOKEN>' });
const run = await client.actor('automation-lab/spf-record-checker').call({
    domains: ['google.com', 'github.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('<YOUR_API_TOKEN>')
run = client.actor('automation-lab/spf-record-checker').call(run_input={
    'domains': ['google.com', 'github.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

cURL

curl "https://api.apify.com/v2/acts/automation-lab~spf-record-checker/run-sync-get-dataset-items?token=YOUR_TOKEN" \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{"domains": ["google.com", "github.com"]}'

Use with AI agents via MCP

SPF Record Checker is available as a tool for AI assistants via the Model Context Protocol (MCP).

Setup for Claude Code

claude mcp add --transport http apify \
  "https://mcp.apify.com?tools=automation-lab/spf-record-checker"

Setup for Claude Desktop, Cursor, or VS Code

{
    "mcpServers": {
        "apify-spf-record-checker": {
            "url": "https://mcp.apify.com?tools=automation-lab/spf-record-checker"
        }
    }
}

Example prompts

• "Check SPF records for example.com"
• "Verify email authentication SPF setup for these domains"
• "How many DNS lookups does the SPF record for our domain require?"

Learn more in the Apify MCP documentation.

Integrations

Connect SPF Record Checker with other apps and services using Apify integrations. You can integrate with Make, Zapier, Slack, Google Sheets, Google Drive, n8n, and many more. Set up a webhook to receive a Slack alert when an SPF record exceeds the 10-lookup limit or uses a weak +all qualifier, or push results to Google Sheets to track SPF compliance across all your domains.

Tips and best practices

• Watch the lookup count — SPF allows a maximum of 10 DNS lookups; exceeding this limit causes SPF validation to fail (PermError), so monitor lookupCount closely
• Prefer -all over ~all — a hard fail (-all) provides stronger protection than softfail (~all), but make sure all legitimate senders are included first
• Audit after adding services — every time you onboard a new email service (marketing tool, CRM, transactional email), re-check your SPF record to ensure the new include is present and the lookup count is still under 10
• Combine with DMARC Record Checker — SPF alone does not prevent spoofing; use it alongside DMARC for complete email authentication
• Look for redirect vs. include — the redirectDomain field tells you if the SPF record delegates entirely to another domain, which is a different behavior than include

FAQ

What does the allQualifier field mean? The allQualifier indicates what happens to emails that do not match any SPF mechanism. fail (-all) rejects them, softfail (~all) marks them as suspicious, neutral (?all) takes no action, and pass (+all) allows everything (insecure).

What happens when the 10-lookup limit is exceeded? When an SPF record chain requires more than 10 DNS lookups, receiving mail servers return a PermError and SPF validation fails. The lookupCount field helps you detect this before it becomes a deliverability problem.

Can I check SPF records for subdomains? Yes. Enter any subdomain (e.g., mail.example.com) and the actor will check its SPF TXT record. Subdomains can have their own SPF records independent of the parent domain.

What does it mean when hasSpf is false? It means no TXT record containing v=spf1 was found for that domain. Without an SPF record, receiving mail servers cannot verify whether emails sent from your domain are authorized, which may hurt deliverability and leave the domain vulnerable to spoofing.

Can a domain have multiple SPF records? According to the SPF specification (RFC 7208), a domain should have at most one SPF record. Having multiple SPF TXT records is a misconfiguration that can cause validation failures. If multiple records are detected, the actor will report the first one found.

My lookupCount shows 10 or more. What should I do? The SPF specification (RFC 7208) limits DNS lookups to 10 per SPF evaluation. Exceeding this causes a PermError, which means SPF validation fails entirely. To fix this, consolidate include mechanisms, replace includes with direct ip4/ip6 ranges where possible, or use an SPF flattening service to reduce lookup count.

The actor found my SPF record but the allQualifier is null. Is that a problem? A missing all qualifier means the SPF record does not have a catch-all mechanism. While the record will still work for explicitly listed senders, emails from unlisted sources will get a "neutral" result. It is best practice to end every SPF record with -all (hard fail) or ~all (soft fail).

Other DNS and email tools

• DMARC Record Checker -- Check DMARC policies for email authentication
• MX Record Checker -- Look up mail exchange records for any domain
• TXT Record Checker -- Query TXT DNS records
• NS Record Checker -- Look up nameserver records
• CNAME Record Checker -- Check CNAME alias records
• AAAA Record Checker -- Look up IPv6 address records
• DNS Lookup -- General DNS record lookup
• WHOIS Lookup -- Domain registration and ownership data
• SSL Certificate Checker -- Check SSL/TLS certificate validity and expiry