Skip to content
Hunto AI Hunto AI Knowledge Base

SPF explorer

What is This Tool For?

The SPF Explorer is designed to give you a clear, visual map of who is authorized to send emails on behalf of your domain. A properly configured Sender Policy Framework (SPF) record is essential for preventing email spoofing and ensuring your legitimate emails reach the inbox. This tool helps you check your record for errors, audit all authorized third-party services, and understand your email infrastructure.

Step 1: How to Access the SPF Explorer

Section titled “Step 1: How to Access the SPF Explorer”

Before you can use the tool, you need to know where to find it. Follow these simple steps:

  1. Log in to the platform and navigate to the DMARC module from the main menu.
  2. Once you are in the DMARC module, look at the side navigation menu on the left.
  3. Click on the Tools section in that menu.
  4. From the options that appear, select SPF Explorer.

You have now arrived at the tool’s main page.

Step 2: Performing a Quick Health Check

Section titled “Step 2: Performing a Quick Health Check”

The first thing you’ll see is a search bar. This is where you can perform a quick health check on any domain.

  1. Enter the domain name you wish to investigate into the search bar (e.g., yourcompany.com) and press Enter.
  2. A summary card will immediately appear. This card provides two vital pieces of information:
    • Record Validity: A clear statement on whether the domain’s SPF record is set up correctly.
    • DNS Lookups: A count of how many DNS queries are needed to check the record. This is critical because SPF records are limited to 10 lookups. If a record exceeds this limit, it fails validation. This summary tells you instantly if you are safely under the limit.

Step 3: Diving Deep with the SPF Record Lookup Tree

Section titled “Step 3: Diving Deep with the SPF Record Lookup Tree”

If you want to see the full details behind the summary, the visual lookup tree is your next stop.

  1. Right beside the “Summary” tab, click on the tab labeled “SPF Record Lookup.”
  2. This will display an interactive, visual “family tree” of your SPF record. At the top is your domain, with branches showing every service it authorizes via include statements.
  3. To explore the tree:
    • Click the small arrows next to any include to expand it. This will reveal the specific services or IP addresses (ip4/ip6) that are given permission. For example, expanding _spf.google.com will show you all the Google servers authorized to send mail.
    • This visual map makes it easy to audit every single approved sender.

Step 4: Connecting Permissions to Real-World Email Traffic

Section titled “Step 4: Connecting Permissions to Real-World Email Traffic”

The most powerful feature of the explorer is its ability to show you not just who can send email, but who is sending email.

  1. As you navigate the Lookup Tree, look at the data columns next to each entry (e.g., Total, SPF, DKIM).
  2. These numbers represent the actual volume of email received from that source, according to your DMARC reports.
  3. How to use this information:
    • Spot legacy services: If you see an authorized sender in the tree with “0” total emails, it could be a service you no longer use. Removing it can help you stay under the 10-lookup limit.
    • Identify unexpected traffic: If a service is sending far more or less email than you expect, it may signal a misconfiguration or a need to review that service’s function.

By following these steps, you can move from a simple check to a full, data-driven audit of your email-sending infrastructure, ensuring it is both secure and correctly configured.