Secure your entire email channel

SPF Lookups

When publishing SPF records on your DNS, you might encounter some issues. Here’s how you can avoid invalidating your SPF record.

Common Mistakes with SPF Records

Getting your SPF record right can get a bit tricky, but it’s important that you do, otherwise you risk losing email deliverability if your record is invalidated. 

  • Invalid macros

    SPF macros are a feature that allow you to create dynamic SPF policies for your domain, making more advanced SPF processing routines like conditional lookups possible. An invalid macro could make your SPF record itself invalid.

     

  • Missing record termination

    All SPF records need to have a default ‘fallback’ mechanism. This often takes the shape of an ‘all’ mechanism or a ‘redirect’ modifier. You need to ensure you have one of these in your record or you risk invalidating the whole thing.

  • Using DNS type ‘SPF’

    The DNS type ‘SPF’ was introduced in 2006, but by today’s standards, it’s become totally obsolete. All SPF records have to be published as a DNS TXT Resource Record.

  • Using uppercase letters

    Although it’s not a strict requirement, it’s email security best practice to publish your SPF record in all lower case letters. 

  • Multiple SPF records in DNS

    You can only have one SPF record in DNS for each SPF version. If you publish multiple SPF records (v=spf1), you’ll end up invalidating your record. Always update your current SPF record and do not add a new record alongside the existing one.

     

  • Using the PTR mechanism

    The PTR mechanism has been deprecated due to its slowness and lack of reliability, and pretty much no one uses them anymore. In fact, many senders may even ignore your SPF record if you use this.

  • Unknown parts in SPF record

    If you use any content or components that aren’t a mechanism, modifier or qualifier, it won’t be recognized by receiving email servers. Anything like this would have to be removed immediately.

  • Using the +all mechanism

    When you use the ‘all’ mechanism with the ‘+’ qualifier, you’re basically allowing anyone to send email on your behalf. That’s because the record will first try to match the sending source to another mechanism. If this fails, the default behavior is to to still allow this source. You can see why this sort of setup is discouraged.

SPF Record Checker

By entering your organization’s domain name and clicking on ‘Lookup SPF’, you’ll be able to see if your domain has an SPF record or not. Naturally, this record would have to be published on your DNS for our tool to find it.