How to Check the SPF Email Records on a Domain

Check the SPF Email Records on a Domain

Trouble with email deliverability? Curious what email servers are allowed to send for a (or your) domain? Find out here how to check and interpret the SPF email records on any domain.

First, We Want Cynical Coffee

The Ancient Greek philosopher and epitome of cynicism Diogenes was famously known to live in a barrel or drum.

He shared this predilection with the best coffees, of course, at least for a while. While air roasting quickly and cheaply scars the delicate beans and can lead to bitter coffee, roasting in a rotating drum grants an even and delicious roast slowly.

That’s what I hear from aficionados at least, so I demand nothing less than cynically roasted coffee.

Now, before I wonder what the cynics, never shy to criticize what they saw as cultural decadence, would have to say about that coffee preference, let’s see what any domain may demand for those who send email under its name:

How to Check and Interpret the SPF Email Records on a Domain

Retrieve SPF Records Using Windows, Mac and Linux

Time needed: 5 minutes

To retrieve the SPF (Sender Policy Framework) records for any domain:

  1. Open the console or terminal application on your computer.

    Windows: Open PowerShell or Command Prompt in the Windows Start menu.
    Mac: Open Terminal.
    Linux: Open your favorite terminal application.
    No terminal: See below for checking a domain’s SPF records using the web.
    Which domain: Check SPF records for the SMTP From header to mimic what an email server would do.

  2. Type the command to query the domain’s TXT DNS records.

    Windows command prompt: Type nslookup -type=TXT <domain> | find "v=spf".
    Windows PowerShell: Type nslookup -q=TXT <domain> | find `"v=spf`".
    Mac and Linux: Type dig +short -t TXT <domain> | grep 'v=spf'.
    The domain: Replace <domain> with the domain whose SPF records you wish to look up.
    Example: Use dig +short -t TXT | grep 'v=spf' to check SPF for the Domain on a Mac.
    Checking SPF records for a domain on a Mac

  3. Press Enter.

  4. Find the SPF text entry for the domain in the response.

    Nothing to show: If you get no result, the domain has no SPF record.
    What it all means: See below for interpreting the SPF entry.
    Check SPF records for a domain on Winduws using nslookup

Retrieve SPF Records on the Web

To look up the SPF TXT record for a domain using web-based DNS retrieval:

  1. Visit a site that lets you look up TXT records for domain names or SPF records specifically.
    Examples: Tools that include and filter SPF records specifically include, MX Toolbox and DNS Checker.
  2. Look up the TXT or SPF records for the domain and analyze them as below.

How to Interpret SPF Records

The SPF record for a domain consists of a few distinct elements. The more common elements appear highlighted below.

SPF Version Specification

The record must start with the version specification; for now, there is only SPF Version 1.


Email Origins and Their Handling

After the version information comes the meat of any SPF record, a number of possible email origins and directions for treating them. The possible origins are:

aCorresponds to the A DNS record for the domain; that is the IP address that a browser will access when you open the web page for the domain, for example.
mxCorresponds to the MX DNS records or records for the domain; this maps to the email servers if you want to send messages to an address at the domain.
ip4A distinct IPv4 address or a range of these addresses (using a subnet mask)
ip6An IPv6 address or address range
includeRefers to the SPF record for the specified domain and includes them in the current policy
allMatches for every email origin
existsSets up a macro that constructs a domain name using elements from the email connection (e.g., the SMTP sender’s user name or connecting domain). The domain is then looked up in DNS. If it exists, the entry matches.

The instructions for treating connections are prefixes to the origins with the following options:

+Pass (the default if no other treatment is specified): the email connection is allowed
-Fail: the email connection is from an unauthorized sender and should not be allowed
~Softfail: the email connection is unauthorized, emails should still be allowed but possible flagged
?Neutral: the email connection should be treated as if not SPF record existed

In addition, two optional elements are possible:

redirectSpecifies a domain whose SPF record should be used when no origin elements apply. This is mutually exclusive with all (since that would mean either of those never applied).
expThis can point to a domain whose TXT record gives an error message or explanation to the (failing) email sender in lieu of the standard message.

The origin elements are checked from left to right for the first match. Consequently, all (or redirect) must be the last and rightmost element in the list.

You can find all options for the exists clause in the email standards document for SPF, RFC 7208.

How to Check and Interpret the SPF Email Records on a Domain: Examples

v=spf1 ip4: a mx -all

Allows mail

  • from the individual IP address
  • from the IP address that corresponds to the MX record for
    (i.e.,, which is
  • from the A record for
    (i.e., and
  • from senders allowed in the SPF record for the domain and
  • from senders allowed in the SPF record for the domain


  • all other connections.

Defers to the SPF record for the domain

v=spf1 exists:%{ir}.%{v}.%{d} ~all

Allows mail if the domain derived from the rule exists:

  • the reverse IP address from which the email is submitted
    Example: becomes
  • in-addr for connecting IPv4 addresses, ip6 for IPv6 addresses and
    Example: in-addr.
  • the policy’s domain.
    Full example:

Everything else is treated as a soft fail.

(How to check and interpret SPF email records on a domain updated April 2024)

Home » Email Tips and Resources » How to Check the SPF Email Records on a Domain