Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Paste any domain. Scorifya resolves the SPF TXT record, walks each include, counts DNS lookups, and flags patterns that quietly break alignment.
Free tool
An SPF record at v=spf1 +all is effectively no SPF at all — it authorizes the entire internet. An SPF record with too many include: lookups silently fails the 10-lookup limit. The SPF checker resolves your record, walks the includes, counts lookups, and flags the patterns that quietly break alignment.
Paste a domain (or any URL — Scorifya extracts the apex). The scan resolves your SPF TXT record, walks each include, counts the resulting DNS lookups, and reports any over-limits, syntax issues, or weak qualifiers like +all. SPF sits inside the broader 0–100 hardening score alongside DKIM, DMARC, and the rest of your public posture.
This page is written for people searching for SPF checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — SPF missing
Web posture is good but no SPF record exists. Receiving servers can't verify your MAIL FROM, and DMARC has only DKIM to align with.
SPF record missing
Publish at least v=spf1 -all if you don't send mail at all, or list your senders explicitly. See /checks/dns_spf_missing.
DMARC missing
DMARC and SPF go together. Once SPF is in place, publish DMARC at p=none with reporting.
Example B — SPF present, near lookup limit
SPF resolves correctly and -all is set, but the lookup count is at 9/10. One more include from a new vendor and SPF will permanently fail.
SPF lookup count near limit
Flatten your SPF record (resolve includes manually into IP ranges) or move some senders to use DKIM-only alignment.
DMARC at p=quarantine
Continue progress to p=reject after aggregate reports show legitimate senders aligning consistently.
Use -all (hard fail), not ~all (soft fail)
-all tells receivers to reject unauthorized senders. ~all tells them to mark suspicious — which most large mailbox providers ignore in practice.
Stay under the 10-DNS-lookup limit
Each include: counts. If you're near 10, flatten the record (resolve includes into IP4/IP6 ranges) or drop senders that DKIM-align instead.
Audit your includes annually
Vendors disappear (or get acquired) and leave dead includes pointing at NXDOMAIN. Each one is a wasted lookup count and a potential SPF failure path.
Pair SPF with DKIM and DMARC
SPF alone doesn't stop From: spoofing. The trio (SPF + DKIM + DMARC alignment) is what actually blocks impersonation.
Re-scan after each ESP change
Switching marketing or transactional providers usually requires editing SPF. Re-scan to confirm the new include resolves and the lookup count stays under 10.
For weights and penalties behind each category, see How Scorifya works.
The TXT record at the apex of the domain you submit. Scorifya parses the v=spf1 mechanisms (ip4:, ip6:, include:, mx, a, ptr) and walks each include to count total DNS lookups.
RFC 7208 limits SPF evaluation to 10 DNS lookups. If your record exceeds that, evaluators return 'permerror' — which means SPF effectively fails for everything, including legitimate mail.
Use -all (hard fail) once you're confident the listed senders cover everything. ~all (soft fail) is a transitional value during rollout. Modern best practice is -all.
Each subdomain that sends mail needs its own SPF record. The apex SPF doesn't automatically apply to mail.example.com. The DMARC checker complements SPF by handling subdomain policy via the sp= tag.
Yes — and you should. v=spf1 -all explicitly says 'no IP is authorized to send mail as me,' which prevents abuse of inactive domains. Pair with DMARC at p=reject for the same reason.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.