SPF Explorer
SPF Explorer
What is the SPF Explorer?
The SPF Explorer is a visual tool that shows you exactly who is authorised to send email on behalf of your domain. It resolves your SPF record's full chain of includes — showing every authorised IP address, mail server, and third-party service — in a single, readable view.
Use it to validate your SPF record is correct, identify errors before they cause delivery problems, and audit which external services are authorised to send from your domain.
Why SPF records need regular auditing
An SPF record that started clean can drift over time:
- New services get added (a new marketing tool, CRM, or support platform) without the SPF record being updated
- Old services that you no longer use remain authorised (a security risk)
- Includes pile up and push you toward the 10-lookup limit, causing failures
The SPF Explorer makes this audit easy.
Reading the Explorer
Root record
Shows your raw SPF record as published in DNS. If this line has errors (syntax mistakes, too many lookups), it will be highlighted.
Include tree
The Explorer resolves every include: and redirect= in your SPF record and displays the full tree of authorised senders. Each node shows:
- IP ranges — the actual IP addresses authorised to send
- Service name — what each include resolves to (e.g., Google Workspace, Mailchimp, Sendgrid)
- Lookup count — how many DNS lookups this chain uses (maximum is 10 per email)
Status indicators
- ✅ Valid — this include resolves correctly and is within limits
- ⚠️ Warning — approaching lookup limit, or contains deprecated records
- ❌ Error — this include is broken, doesn't exist, or causes the record to exceed 10 lookups
The 10-lookup limit
This is the most common cause of SPF failures for established organisations. Every include:, a:, mx:, and redirect= in your SPF record costs one lookup. When a receiving mail server evaluates your SPF record and hits 10 lookups before finishing, it treats the result as PermError — and the email fails SPF.
What to do if you're over the limit:
- Remove includes for services you no longer use
- Replace multiple include chains with flattened IP ranges where possible
- Consider an SPF flattening service that automatically consolidates your record
Common SPF issues and fixes
| Issue | Symptom | Fix |
|---|---|---|
| Missing service | A sending service fails SPF | Add include:sending-service.com to your SPF record |
| Lookup limit exceeded | Emails fail with PermError |
Remove unused includes; flatten IP ranges |
| Syntax error | Record doesn't parse | Check for spaces, missing mechanisms, or invalid characters |
| Too many IP ranges | Record is very long | Consolidate ranges; review if all are still needed |
-all too strict |
Legitimate emails failing | Change to ~all (softfail) while diagnosing, then back to -all once fixed |
SPF record best practices
- End with
-all(hard fail) once you're confident all legitimate senders are included — this rejects email from all unlisted sources - Use
~all(softfail) during setup and diagnosis — softfail marks emails as suspicious rather than rejecting them - Audit the record quarterly — services change, and your SPF record should keep up
- Keep the record under 255 characters per string and under 10 lookups