SPF checker report

SPF report for example.com

We explain exactly why your SPF uses 11 of 10 DNS lookups

SPF Lookup Limit: The 10 DNS Lookup Rule

RFC 7208 limits SPF evaluation to ten DNS lookups, and exceeding that limit causes a PermError that breaks authentication.

Read article
— and how to fix it in minutes.

Demo scenario — illustrates an overloaded SPF record

Your SPF record exceeds the lookup limit

11 lookups were detected. RFC 7208 allows a maximum of 10. Your SPF exceeds the RFC lookup limit of 10. Email delivery may fail without warning when receivers treat the record as permerror.

No credit card required. Generate one managed include for example.com.

Executive summary

The full story for example.com in one glance.

Current situation

  • Risk High
  • Lookup count 11 / 10
  • Providers detected Microsoft 365, Google Workspace, Mailchimp, Salesforce
  • Maintenance Manual updates expected

After SPF Manager

  • Risk None
  • Lookup count 1 / 10
  • Providers Synchronized automatically
  • DNS change One TXT record to publish

SPF Health 28 → 91 · Lookups 11 → 1

Fix example.com for free

Current vs future

See what changes when example.com moves to one managed include.

Current situation

Health score
28 / 100
Lookup count
11 / 10
Detected providers
Microsoft 365 Google Workspace Mailchimp Salesforce
Risk
HIGH

After SPF Manager

Health score
91 / 100
Lookup count
1 / 10
Providers
Automatically managed
Risk
NONE
Score potential 28 → 91

Estimated operational impact

Indicative savings based on provider complexity and your current SPF structure.

Estimated

These estimates are based on provider complexity and detected SPF structure. They are indicative, not guaranteed.

Estimated provider changes

~10 / year

Estimated manual DNS edits

~15 / year

Estimated time saved

~20h / year

Estimated risk reduction

~63%

SPF Health

28 / 100
Risk High

11 / 10 DNS lookups Over limit

Estimated with SPF Manager

91 / 100

  • 95–100 Healthy
  • 80–94 Good
  • 60–79 Needs attention
  • 40–59 High risk
  • 0–39 Critical

Include depth: 5

Why this matters

Microsoft 365 contributes 4 lookups. Google Workspace contributes 2. Mailchimp contributes 2. Salesforce contributes 2. Other contributes 1 lookup across custom and nested includes. Total: 11 / 10 lookups. This is a common pattern when business email, marketing and CRM tools share one domain.

Detected sources

Microsoft 365 · 4 lookups Google Workspace · 2 lookups Mailchimp · 2 lookups Salesforce · 2 lookups Other · 1 lookups

Why fix this today

  • Your SPF record exceeds the lookup limit (11 / 10).
  • Some receivers may already treat SPF as invalid.
  • Removing a provider manually can break legitimate mail flows.
  • SPF lookup limit of 10 exceeded.
  • Nested includes from Microsoft 365, Google Workspace and marketing tools increase permerror risk.
  • Manual flattening would go stale when providers change their IP ranges.

Simulate next provider change

SPF risk is not static. The next provider update can push you over the limit — unless changes are synchronized automatically.

Current chain

11 / 10

Microsoft 365 adds another nested include

After simulated change

11 / 10 lookups

Already exceeded — receivers may treat SPF as invalid.

With SPF Manager

1 / 10

Automatically synchronized

Provider changes are detected, validated, and folded into your managed include — your public DNS stays one record.

Specific actions for this domain

  • Reduce lookup count immediately

    Your record currently uses 11 DNS lookups. RFC 7208 allows a maximum of 10, so receivers may reject the record as invalid.

  • Replace nested includes

    Include depth is 5. Nested provider chains increase permerror risk and make troubleshooting harder.

  • Switch to a managed include

    Publish one managed include in DNS and let SPF Manager resolve provider includes behind it.

Replace fragile SPF chains for example.com with one managed include. SPF Manager resolves provider includes, validates output, and keeps your record synchronized.

Fix example.com for free

Safe, validated SPF changes

Replacing a DNS record feels risky. SPF Manager is designed to keep you in control.

  • RFC-aware validation
  • One DNS record under your control
  • No direct DNS write access required
  • Original SPF remains visible in history
  • Reversible migration path
  • Provider changes synchronized automatically

All SPF includes

Expand each source to see include records, lookup contribution, nesting depth, and guidance.

  • include:spf.protection.outlook.com
    depth 1 2 lookups
  • include:spfa.protection.outlook.com
    Nested depth 2 2 lookups

Recommendation: fold this provider behind one managed include to reduce lookup sprawl.

Managed automatically with SPF Manager

  • include:_spf.google.com
    depth 1 2 lookups

Recommendation: keep authorized, but monitor for nested include changes.

Managed automatically with SPF Manager

  • include:servers.mcsv.net
    depth 1 2 lookups

Recommendation: keep authorized, but monitor for nested include changes.

Managed automatically with SPF Manager

  • include:_spf.salesforce.com
    depth 1 2 lookups

Recommendation: keep authorized, but monitor for nested include changes.

Managed automatically with SPF Manager

  • include:smtp-vendor.example.net
    depth 1 1 lookup
  • include:relay.nested-mail.org
    Nested depth 2 nested chain

Recommendation: keep authorized, but monitor for nested include changes.

Managed automatically with SPF Manager

Could this have been prevented?

Manual SPF maintenance repeats the same risky work. SPF Manager synchronizes provider changes automatically.

Manual SPF today

  1. Microsoft changes SPF → manual DNS update !
  2. Google changes SPF → manual DNS update !
  3. Mailchimp changes SPF → manual DNS update !
  4. Salesforce changes SPF → manual DNS update !

With SPF Manager

  1. Provider change detected
  2. SPF output validated
  3. Managed include synchronized
  4. Your DNS stays unchanged

How your SPF chain becomes one include

Watch nested provider includes collapse into a single managed include.

Before After

Your DNS today

TXT @ example.com

v=spf1 include:… +7 includes

11 / 10 lookups

Microsoft 365

include:spf.protection.outlook.com

2 lookups

Microsoft 365

Nested

include:spfa.protection.outlook.com

2 lookups

Google Workspace

include:_spf.google.com

2 lookups

Mailchimp

include:servers.mcsv.net

2 lookups

Salesforce

include:_spf.salesforce.com

2 lookups

Other

Other

include:smtp-vendor.example.net

1 lookup

Other

Nested Other

include:relay.nested-mail.org

1 lookup

With SPF Manager

TXT @ example.com

v=spf1 include:example.com.flat-spf.com -all

1 / 10 lookups

SPF

Managed include

example.com.flat-spf.com

Resolves 7 providers automatically

Validated · 1 / 10 lookups
Paused — compare your current SPF chain with one managed include side by side. Each provider include consumes DNS lookups toward the 10-lookup limit. Flattening provider includes into one managed record… Your public SPF stays simple — SPF Manager maintains the rest.

Generate managed SPF for example.com

One managed include resolves your provider chain and keeps changes synchronized automatically.

Generate managed SPF for example.com

Fix example.com in minutes

Generate a managed SPF include for example.com and keep provider changes synchronized automatically — setup takes just a few minutes.

SPF Health 28 → 91 · Lookups 11 → 1

Fix example.com in minutes

No credit card required. You stay in control of your DNS records.

Share this report

Share this report with a client, colleague, or DNS administrator before making changes.

Email authentication platform

SPF is live today. Additional modules will plug into the same report experience.

SPF

Included in this report

Analyzed
DKIM

Expands your deliverability coverage

Coming soon
DMARC

Expands your deliverability coverage

Coming soon
MX

Expands your deliverability coverage

Coming soon
DNSSEC

Expands your deliverability coverage

Coming soon

Analyzed 1 second ago.