How to validate your SPF record? Setting up the correct SPF record is an essential part of your technical settings. This page explains how to check and validate if you have set up the SPF record correctly.
Go to the following URL and fill in the domain you want to check and press Start.
If an SPF record is found, you will see a screen similar to the screenshot below:
Please make sure the SPF record doesn’t exceed the maximum of 10 lookups!
The SPF records are correctly configured when:
- The page has found an SPF record
- Your SPF record doesn’t exceed the maximum number of 10 lookups.
- The shown IP addresses are really addressess you’re sending email from.
If this is okay, you should be all ready to go!
If not, or if you see a screen simular to the one below, something is wrong.
The maximum amount of 10 lookups has been exceeded. ISPs could ignore your SPF record.
Please check with your hosting provider if the record is entered correctly in your Domain Name Server (DNS).
Using the command-line tool dig in OSX and Linux, you can debug some more to try and figure out what the problem is.
First we want to make sure the problem is not related to cache. E.g. when you tried the check before adding or changing the SPF record, the response from your DNS server might have been cached and it could take a couple of hours for the server to display the correct response.
To bypass any cache you can ask your nameserver directly what record it has.
Use the following command to find out what your nameservers are: dig yourdomain.com NS
[root@server ~]# dig yourdomain.com NS ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> yourdomain.com NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32320 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yourdomain.com. IN NS ;; ANSWER SECTION: yourdomain.com. 300 IN NS ns1.yourdomain.com. yourdomain.com. 300 IN NS ns2.yourdomain.com. yourdomain.com. 300 IN NS ns3.yourdomain.com. ;; Query time: 31 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Mon Nov 26 16:09:52 2012 ;; MSG SIZE rcvd: 87
The lines in your ANSWER SECTION (highlighted above) are your nameservers.
Now ask a nameserver what record is available using the command: dig yourdomain.com TXT @ns1.yourdomain.com
[root@server ~]# dig yourdomain.com TXT @ns1.yourdomain.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 <<>> yourdomain.com TXT @ns1.yourdomain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14982 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;yourdomain.com. IN TXT ;; ANSWER SECTION: yourdomain.com. 300 IN TXT "spf2.0/pra,mfrom a mx include:aspmx.googlemail.com -all" yourdomain.com. 300 IN TXT "v=spf1 a mx include:aspmx.googlemail.com -all" ;; Query time: 0 msec ;; SERVER: 22.214.171.124#53(126.96.36.199) ;; WHEN: Mon Nov 26 16:13:40 2012 ;; MSG SIZE rcvd: 200
You should see your TXT record(s) here. Common mistakes/problems are:
- It takes some time to save the changes in GUI to the nameserver
(e.g. In the GUI everything is correct but NS does not return anything/correct values)
- It takes some time to sync all nameservers with each other
(e.g. ns1 returns correct values, but ns2 and/or ns3 does not)
- Accidentally copied spaces
- Characters are escaped with an additional \
- Quotation marks inside the response value
Always use the exact domain name you are using to send the email from. E.g. if you are sending email from firstname.lastname@example.org, fill in yourdomain.com as your domain name.