Free tool
SPF Checker.
Check your domain's SPF record in seconds. See whether it is present, valid and set to a hard fail, along with DKIM and DMARC, and get plain-English findings you can act on.
Instant results
No waiting, no signup
Lookup limit checked
Flags the ten-lookup cap
DKIM and DMARC too
All three protocols
Microsoft 365 aware
Checks the M365 include
What it does
What an SPF record actually does.
SPF is a single DNS TXT record listing every server allowed to send email as your domain. When a receiving server gets an email claiming to be from you, it reads your SPF record and checks whether the sending server is on the list. If it is not, the record's policy tells the server what to do. It is the first of the three email authentication controls, and the one most domains get partly right and partly wrong.
The two things that catch businesses out are the ending and the lookup limit. A record ending in -all rejects unlisted senders, which is what you want, but only once every real sender is included. And SPF allows just ten DNS lookups; add Microsoft 365, a CRM and a mail tool and you can quietly exceed it, which breaks the record with a permerror. The checker above flags both.
Why it matters
The first line against spoofing
Without SPF, any server on the internet can send email that appears to come from your domain, and receiving servers have no way to tell it is not you. That is the gap invoice fraud and impersonation scams rely on. SPF closes the first part of it by defining exactly who is allowed to send as you.
SPF alone does not stop a forged from address, which is why it works alongside DKIM and DMARC. But a correct SPF record with a hard fail is the foundation the other two build on, and it is the first thing to get right.
How to set it up
Getting it right
- 1. List every sender. Include every service that sends email as your domain: Microsoft 365, your CRM, marketing and accounting tools.
- 2. Watch the ten-lookup limit. Consolidate includes where you can. Exceeding ten lookups breaks the record.
- 3. End with a hard fail. Once you are sure every real sender is listed, end the record in -all so unlisted senders are rejected.
- 4. Add DKIM and DMARC. SPF is the foundation. Layer DKIM signing and a DMARC policy on top for full protection.
Also worth checking: DMARC checker, DKIM checker, or the full email security checker.
Common questions
SPF, answered.
Want SPF, DKIM and DMARC configured properly rather than just checked? Book a Microsoft 365 security review. No obligation.
Book a review →What is an SPF record?
SPF (Sender Policy Framework) is a DNS TXT record that lists every mail server allowed to send email from your domain. When your email reaches a recipient's server, that server checks your SPF record to confirm the sending server is on the approved list. Without SPF, anyone can send email pretending to be from your domain, which is how a lot of phishing and invoice fraud starts.
What does -all mean, and how is it different from ~all?
The last term in an SPF record tells receiving servers what to do with email from servers not on your list. -all is a hard fail, which tells them to reject that email. ~all is a soft fail, which usually means deliver but mark as suspicious. A hard fail (-all) gives the strongest protection, but only use it once you are certain every legitimate sender is included, or you risk blocking your own email.
How many DNS lookups can an SPF record have?
SPF is limited to ten DNS lookups. Each include or redirect in your record counts, and it is easy to exceed the limit once you add several services (Microsoft 365, a CRM, a marketing tool, an accounting platform). Going over ten lookups causes SPF to fail with a permerror, which quietly breaks your protection. The checker above flags this so you can fix it before it causes deliverability problems.
Do I need DKIM and DMARC as well?
Yes. SPF on its own is a good start, but it does not stop an attacker forging the visible from address. DKIM adds a cryptographic signature, and DMARC ties SPF and DKIM together with a policy and reporting. The three work as a set. The checker looks at all three so you can see the full picture rather than just one piece.
What does an SPF record for Microsoft 365 look like?
If you send email through Microsoft 365, your SPF record needs to include Microsoft's sending infrastructure, usually with include:spf.protection.outlook.com. If that include is missing, Microsoft 365 email can fail SPF at the receiving end and land in spam or get blocked. The checker is aware of Microsoft 365 and will tell you if the include is missing.
Is this SPF checker free?
Yes, the checker is free and needs no signup. If you want SPF, DKIM and DMARC configured and tested properly for your domain rather than just checked, IronSights does that as part of a Microsoft 365 security review. No obligation to go further after using the tool.