SPF Record Checker
Inspect Sender Policy Framework (SPF) records on target domains to audit authorized mail servers and detect spoofing vulnerabilities.
This interactive client-side tool is part of the NervLink Cybersecurity Suite. All analysis is verified entirely inside the local browser sandbox for maximum safety and data privacy compliance.
How It Works
- Provide a target domain hostname.
- The tool fetches TXT records matching the v=spf1 version specifier.
- The policy structure, include chains, and active IP/CIDR ranges are parsed and checked for syntax compliance.
Primary Use Cases
- Validating which IP addresses and subnets are authorized to send email for a domain.
- Detecting malformed or invalid SPF configurations that break email delivery.
- Auditing third-party email provider inclusion lists.
Common Security Pitfalls
- Creating multiple SPF TXT records on a single domain (which invalidates SPF validation completely).
- Exceeding the limit of 10 recursive DNS lookups inside the SPF include mechanisms.
Frequently Asked Questions
- What is the difference between ~all and -all?
- ~all specifies a SoftFail (emails failing check are marked/flagged but accepted), while -all specifies a HardFail (emails failing check should be rejected outright).
- What is the 10 DNS lookup limit?
- SPF specifications restrict policy evaluation to a maximum of 10 recursive DNS lookups (caused by includes, mx, a, exists redirects) to prevent DDoS abuse on name servers.
References & Standards