What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT record that lists which mail servers are authorised to send email on behalf of your domain. Receiving mail servers check SPF to decide whether to accept or reject email.

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells receiving mail servers what to do when SPF or DKIM checks fail — none (monitor), quarantine (spam folder), or reject (block outright). It also enables aggregate reporting.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against a public key published in your DNS. This proves the email was not tampered with in transit.

Email Authentication

Email Deliverability Checker

Validate SPF, DKIM, and DMARC records. Diagnose why emails land in spam.

Try:

Related Tools

⊕

DNS Lookup

Look up DNS records for any domain: A, AAAA, MX, CNAME, TXT, NS, SOA, CAA and more. Instant, free.

◈

Domain WHOIS Lookup

Look up domain registration details, owner, registrar, expiry date, and nameservers for any domain instantly.

⊗

IP Blacklist Checker

Check if an IP address appears on major spam blacklists including Spamhaus, SORBS, Barracuda, and SpamCop. Free, instant results.

Email Deliverability — SPF, DKIM, and DMARC Explained

Email authentication records are the three-legged stool of deliverability. Missing any one of them increases the chance of your emails being rejected or filtered as spam by Gmail, Outlook, and other providers.

SPF — Who Can Send

SPF (Sender Policy Framework) is a DNS TXT record listing the IP addresses and mail servers authorised to send email for your domain. A missing or overly permissive SPF record (+all) means anyone can spoof your domain. Use -all for strict rejection of unauthorised senders.

DKIM — Cryptographic Signing

DKIM adds a cryptographic signature to every outgoing email. The public key lives in DNS at selector._domainkey.yourdomain.com. Receiving servers verify the signature to confirm the email was not altered in transit and genuinely came from your infrastructure.

DMARC — Policy Enforcement

DMARC tells receiving servers what to do when SPF or DKIM fail: p=none (monitor only), p=quarantine (spam folder), or p=reject (block outright). It also enables aggregate reports (rua=) so you can see who is sending email on your behalf.

The 10-Lookup Limit

SPF records are limited to 10 DNS lookups during evaluation. Exceeding this causes a PermError and may result in email rejection — common with complex include: chains from multiple email providers.