SPF Record Checker

What to check after SPF is published

SPF mistakes usually happen when teams add a new sender but forget to update DNS, or when two vendors each ask for their own SPF record and both get published. Mailbox providers expect one SPF record per domain. If there are two records that start with v=spf1, SPF can fail even if each individual record looks reasonable.

After entering a domain, review the raw record and the mechanisms. include: mechanisms usually point to external sending platforms. ip4: and ip6: authorize fixed sending infrastructure. mx authorizes the domain's mail exchangers. The final policy, often -all or ~all, tells receivers how strongly to treat mail from unlisted systems.

If the checker finds no SPF record, do not assume the domain is ready to send. Build a record with the SPF record generator, publish it as a TXT record, and test again after DNS propagation. If the record exists but a legitimate platform is missing, add that sender before launching a campaign.

SPF checks should be part of every sender change

Any new email service can change your authentication footprint. A newsletter platform, CRM, helpdesk, ecommerce notification app, or sales sequencer may send from your domain. When that happens, SPF should be reviewed alongside DKIM and DMARC. This keeps the sender identity consistent across inbox providers.

SPF does not prove the address list is clean. If you are preparing a launch, verify recipients as well. Use the email health check for a domain-level review and the bulk verification workflow for larger CSV lists. Authentication helps mail be trusted; list hygiene helps keep bounces and negative engagement under control.

Operational SPF checklist before a campaign

Before sending to a large list, check the sending domain and any dedicated subdomain. Confirm there is one SPF record, every active sender is listed, and unused vendors are removed. If a CRM or marketing platform sends from a branded subdomain, check that subdomain separately instead of assuming the root domain covers it.

Next, compare the SPF record against the actual campaign path. If your campaign goes through a sales engagement platform, that platform needs to be authorized. If product notifications go through a transactional provider, that provider needs to be authorized too. Keeping this list current prevents last-minute deliverability surprises when a team changes tools.

Finally, check the recipient list. SPF tells mailboxes that your sender is authorized; it does not remove invalid addresses from an export. For CRM, newsletter, or prospecting lists, verify the file before the send and re-check bounce results after the campaign. Under 3% bounce rate is healthy, 3-5% needs cleanup, and above 5% is high risk.

For shared domains, make this checklist part of sender onboarding. When sales, marketing, support, and product teams all use the same brand domain, a forgotten sender can affect everyone. A short SPF review before launch is much cheaper than diagnosing authentication failures after a campaign has already sent.