Trouble with email deliverability? Curious what email servers are allowed to send for a (or your) domain? Find out here how to check and interpret the SPF email records on any domain.
First, We Want Cynical Coffee
The Ancient Greek philosopher and epitome of cynicism Diogenes was famously known to live in a barrel or drum.
He shared this predilection with the best coffees, of course, at least for a while. While air roasting quickly and cheaply scars the delicate beans and can lead to bitter coffee, roasting in a rotating drum grants an even and delicious roast slowly.
That’s what I hear from aficionados at least, so I demand nothing less than cynically roasted coffee.
Now, before I wonder what the cynics, never shy to criticize what they saw as cultural decadence, would have to say about that coffee preference, let’s see what any domain may demand for those who send email under its name:
How to Check and Interpret the SPF Email Records on a Domain
Retrieve SPF Records Using Windows, Mac and Linux
Time needed: 5 minutes
To retrieve the SPF (Sender Policy Framework) records for any domain:
- Open the console or terminal application on your computer.
Windows: Open PowerShell or Command Prompt in the Windows Start menu.
Mac: Open Terminal.
Linux: Open your favorite terminal application.
No terminal: See below for checking a domain’s SPF records using the web.
Which domain: Check SPF records for the SMTP From header to mimic what an email server would do. - Type the command to query the domain’s TXT DNS records.
Windows command prompt: Type
nslookup -type=TXT <domain> | find "v=spf".
Windows PowerShell: Typenslookup -q=TXT <domain> | find `"v=spf`".
Mac and Linux: Typedig +short -t TXT <domain> | grep 'v=spf'.
The domain: Replace <domain> with the domain whose SPF records you wish to look up.
Example: Usedig +short -t TXT ladedu.com | grep 'v=spf'to check SPF for the Domain ladedu.com on a Mac.
- Press Enter.
- Find the SPF text entry for the domain in the response.
Nothing to show: If you get no result, the domain has no SPF record.
What it all means: See below for interpreting the SPF entry.
Retrieve SPF Records on the Web
To look up the SPF TXT record for a domain using web-based DNS retrieval:
- Visit a site that lets you look up TXT records for domain names or SPF records specifically.
Examples: Tools that include and filter SPF records specifically include NSlookup.io, MX Toolbox and DNS Checker. - Look up the TXT or SPF records for the domain and analyze them as below.
How to Interpret SPF Records
The SPF record for a domain consists of a few distinct elements. The more common elements appear highlighted below.
SPF Version Specification
The record must start with the version specification; for now, there is only SPF Version 1.
v=spf1Email Origins and Their Handling
After the version information comes the meat of any SPF record, a number of possible email origins and directions for treating them. The possible origins are:
| Origin | Meaning |
|---|---|
a | Corresponds to the A DNS record for the domain; that is the IP address that a browser will access when you open the web page for the domain, for example. |
mx | Corresponds to the MX DNS records or records for the domain; this maps to the email servers if you want to send messages to an address at the domain. |
ip4 | A distinct IPv4 address or a range of these addresses (using a subnet mask) |
ip6 | An IPv6 address or address range |
include | Refers to the SPF record for the specified domain and includes them in the current policy |
all | Matches for every email origin |
exists | Sets up a macro that constructs a domain name using elements from the email connection (e.g., the SMTP sender’s user name or connecting domain). The domain is then looked up in DNS. If it exists, the entry matches. |
The instructions for treating connections are prefixes to the origins with the following options:
| Treatment | Meaning |
|---|---|
+ | Pass (the default if no other treatment is specified): the email connection is allowed |
- | Fail: the email connection is from an unauthorized sender and should not be allowed |
~ | Softfail: the email connection is unauthorized, emails should still be allowed but possible flagged |
? | Neutral: the email connection should be treated as if not SPF record existed |
In addition, two optional elements are possible:
| Element | Meaning |
|---|---|
redirect | Specifies a domain whose SPF record should be used when no origin elements apply. This is mutually exclusive with all (since that would mean either of those never applied). |
exp | This can point to a domain whose TXT record gives an error message or explanation to the (failing) email sender in lieu of the standard message. |
The origin elements are checked from left to right for the first match. Consequently, all (or redirect) must be the last and rightmost element in the list.
You can find all options for the exists clause in the email standards document for SPF, RFC 7208.
How to Check and Interpret the SPF Email Records on a Domain: Examples
v=spf1 include:spf.stackmail.com include:spf.mcsv.net ip4:185.151.30.147 a mx -allAllows mail
- from the individual IP address 185.151.30.147
- from the IP address that corresponds to the MX record for ladedu.com
(i.e., mx.stackmail.com, which is 185.151.28.67) - from the A record for ladedu.com
(i.e., 104.21.25.23 and 172.67.222.9) - from senders allowed in the SPF record for the domain spf.stackmail.com and
- from senders allowed in the SPF record for the domain spf.mcsv.net.
Disallows
- all other connections.
v=spf1 redirect=_spf.mail.example.comDefers to the SPF record for the domain _spf.mail.example.com
v=spf1 exists:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~allAllows mail if the domain derived from the rule exists:
- the reverse IP address from which the email is submitted
Example:185.151.30.147becomes147.30.151.185. - in-addr for connecting IPv4 addresses, ip6 for IPv6 addresses and
Example:in-addr. - the policy’s domain.
Full example:147.30.151.185.in-addr._spf.mail.example.com.spf.has.pphosted.com
Everything else is treated as a soft fail.
(How to check and interpret SPF email records on a domain updated April 2024)