Public email authentication tool

Visualise the SPF record tree for any domain

Expand the full include chain for any domain's SPF record. See every mechanism, lookup depth, IP range, and identified service — and spot problems before they cause deliverability failures.

Talk to JSsec

Full include chain

Recursive expansion of every include and redirect in the SPF record.

Lookup count

Total DNS lookups consumed against the RFC 7208 limit of 10.

IP ranges and services

IP address counts per mechanism and identified sending services.

Run a check

SPF record tree viewer

Enter a domain to visualise its SPF include chain, lookup count, and all resolved mechanisms.

No results yet

Enter a domain above to visualise its SPF include chain, lookup count, and all resolved mechanisms.

Guidance

Understanding SPF records

SPF is a DNS-based email authentication standard. Misconfigurations are common and often invisible until deliverability breaks.

The 10-lookup limit

RFC 7208 limits SPF evaluation to 10 DNS lookups. Each include, a, mx, redirect, and exists mechanism counts toward this limit. Exceeding it causes a PermError, which mail servers may treat as a failure.

Multiple SPF records

Publishing more than one SPF TXT record for a domain is invalid per RFC 7208. Only one record is permitted. Duplicate records cause unpredictable behaviour across receiving mail servers.

Mechanism qualifiers

When is softfail appropriate?

The default qualifier (+) means pass. A softfail (~) allows mail through but may flag it. A fail (-) should cause rejection. A neutral (?) makes no assertion. The all mechanism at the end is the catch-all.

SPF flattening

Learn about SPF flattening

If your record is approaching the lookup limit, SPF flattening replaces include chains with their resolved IP ranges. JSsec can manage this automatically so your record stays valid as your senders change.

Also consider

More JSsec services

DMARC and BIMI Checker

Check DMARC enforcement posture, BIMI record presence, logo readiness, and certificate validity.

Email Authentication

Hands-on support publishing and maintaining DMARC, SPF, DKIM, BIMI, and related email trust controls.

Website Monitoring

Continuous detection across public-facing assets and suspicious infrastructure.