SPF CHECKER // DNS AUTH
SPF Checker: Validate Your Record and Catch the 10-Lookup Limit
Most broken SPF records look fine to the naked eye: the syntax parses, but an eleventh DNS lookup silently voids the whole thing. The Inboxes SPF checker validates the record, counts every lookup, and then keeps watching it so a passing record stays passing.
Inbox placement
67%
··%
· ·
Authentication
checking 130+ blacklists
Sample data. Seed results are estimates, not guarantees.
What is a spf checker?
An SPF checker validates the DNS record that tells mailbox providers which servers may send email for your domain. Inboxes checks the record itself: valid v=spf1 syntax, exactly one record published, a sensible ~all or -all terminator. It counts DNS lookups against the hard 10-lookup limit that silently breaks many records (a permerror at the receiver, often invisible to the sender), flags missing includes for ESPs you actually send through, and verifies SPF alignment, since DMARC needs your Return-Path domain to match your From domain. Then it keeps watching: when a nested include starts failing or a new sending service appears unauthorized, you get an alert instead of a quiet slide into spam. SPF passing does not by itself earn the inbox; placement still depends on reputation and content, and seed results remain directional estimates.
// example SPF readout for example.com
example.com. 3600 IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.25 ~all" lookups: 8 of 10 | records found: 1 | alignment: pass (relaxed)
One record, under the 10-lookup limit, with every active sending service included.
What you get
Spf checker, done properly
The 10-lookup limit, counted
Every include, a, mx, and redirect mechanism costs a DNS lookup, nested ones included. The checker resolves the whole tree and shows your count against the limit of 10.
Missing includes surfaced
Placement tests read your real headers, so when mail arrives from a service your record never authorized, the gap is named: the exact include to add.
Alignment, not just pass
SPF can pass on your ESP's bounce domain and still fail DMARC alignment. The checker evaluates both, because providers judge the pair together.
A record watched, not a one-off
Your record depends on other people's DNS. When an ESP restructures its include or a lookup starts timing out, monitoring flags it within hours.
How it works
From send to fix list in four steps
Point the checker at your domain
Inboxes fetches your SPF record, resolves every nested include, and renders the full readout.
Review the findings
Syntax issues, duplicate records, lookup count, unsafe +all terminators, and includes for services you no longer use.
Cross-check with real sends
Placement tests confirm the record works in practice: spf=pass, aligned, at every seed mailbox.
Leave monitoring on
The record and its lookup tree are re-checked continuously, with alerts the moment either breaks.
The honest boundary: seed results are directional estimates and nobody can guarantee inbox placement. Inboxes finds the fixable causes, tells you exactly what to change, and monitors the result. No warmup networks, no bot opens, ever. Full detail on the methodology page.