Security check

SPF check: decide who can send in your name

SPF states which servers may send email for your domain. Set wrong, it blocks legitimate mail or lets forged mail through. We check it and pinpoint the errors.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” secure communications ISO 27001 Β· A.5.14 SPF Β· RFC 7208

What we check

We verify that an SPF record exists, that it ends in -all (hard fail) not ~all, that it stays under 10 DNS lookups (or it fails silently) and that all legitimate senders (newsletters, CRM, support tools) are actually included.

Why it matters

SPF is the foundation of the DMARC chain. A too-soft or incomplete SPF lets spoofed mail through β€” or sends your own mail to spam. It's also an explicit secure-communication requirement in NIS2 and ISO 27001.

How Security Guru tests it

Common mistakes

  • ~all (soft fail) instead of -all
  • More than 10 lookups β†’ record fails silently
  • A forgotten provider (e.g. Mailchimp) missing β†’ their mail is rejected
  • +all β€” lets anyone through (critical error)

What you get in the report

  • SPF status, all mechanism and lookup count
  • Which includes are missing or redundant
  • The exact SPF record you should publish
  • Link to DMARC and email deliverability

FAQ

Can I have multiple SPF records?

No β€” only ONE SPF record per domain is valid. Multiple records make them all fail. All senders must be in a single record.

What is the 10-lookup limit?

SPF may do at most 10 DNS lookups. Beyond that the record fails (permerror) and protection silently disappears. We flag if you're near the limit.

Is SPF enough alone?

No β€” SPF doesn't protect the From address the user sees and breaks on forwarding. DMARC on top of SPF + DKIM is the complete protection.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan