Validate an existing SPF or DMARC record for errors and weaknesses, or build a correct one for your email providers with copy-ready values and DNS instructions. Record parsing runs in your browser; validating SPF includes queries public DNS resolvers.
Use the Validator to inspect a record you already have, or the Generator to create one from scratch.
A single misconfigured record can silently let attackers spoof your domain or block your own mail. Our IT security audit validates SPF, DKIM, and DMARC across every sending source and hardens your policy safely.
SPF lists which servers may send mail for your domain. DKIM cryptographically signs messages so recipients can verify they were not altered. DMARC ties the two together, tells receivers what to do when a message fails, and sends you reports. All three are needed for strong email authentication.
To prevent abuse and excessive load, RFC 7208 caps the number of DNS-querying mechanisms (include, a, mx, ptr, exists, redirect) at 10. Exceed it and SPF returns a permerror, which many receivers treat as a failure. Nested includes from mail providers are the usual cause, so the validator resolves them and counts the true total.
Start at p=none to monitor and read the aggregate reports without affecting delivery. Once legitimate senders pass, move to p=quarantine, then to p=reject for full protection. p=none left in place indefinitely provides no protection against spoofing.
The generator and record parsing run entirely in your browser. When validating an SPF record with includes, the tool queries public DNS-over-HTTPS resolvers for the included domains only, so it can count the real number of DNS lookups. Nothing is stored on our servers.