How to Check, Test and Validate SPF Record in DNS is Correct and Valid

Home»Cloud & Internet»Domains & Hosting»How to Check, Test and Validate SPF Record in DNS is Correct and Valid

SPF record in the domain DNS tree level is the new tool to combat email spam that trying to forge or spoof sender SMTP MAIL FROM and Return-Path from your domain zone. However, incorrect or misconfiguration of SPF definitions may lead to email been discarded prematurely, bounced and not delivered to intended recipients. Thus it’s good practice to test, verify and validate to ensure the SPF policy does not erroneously cause outbound emails to fail and unaccepted by relay mail server.

SPF Validation – Sender Profile Framework Testing and Checking Tool (no longer free), a simple checker and tester for domain SPF record from DNSStuff. Simply enter the SPF string that wants to test, or enter the domain or email address for auto discovery of SPF value, and IP address of the mail server, the tool will return SPF validation result for the emails that originate from that server on whether it will accepted.

OpenSPF has a reference SPF-result-explanation page which allows user to enter a “MAIL FROM” email address and the Sender’s IP Address from which the mail is originated. Then, OpenSPF will provide detailed explanation on how the email of the domain from the server is handled when routing through mail server.

Python Based SPF Record Testing Tools have several tests. Administrators can retrieves SPF records for the specified domain name, determines if the SPF record is valid, check if SPF record is syntactically correct and valid (useful before publishing SPF on DNS) and full test on SPF by evaluating the performance of SPF record based on different IP addresses that mail might come from.

Vamsoft has SPF Checker which perform the same test, and SPF Syntax Validator to verify that syntax of the SPF string is correct.

If you don’t know the IP address or host name of the SMTP mail server that sends the outbound email out for your domain, there is simpler and easier method to check and test the SPF record provided by port25.com. Simply send an email from the domain with SPF to test to check-auth@verifier.port25.com (reply to “mail_from” address) or check-auth2@verifier.port25.com (reply to “from” address). An Authentication Report will be sent back to the email account inbox after a few minutes with complete details and results of summary, SPF check, DomainKeys check, DKIM check, and Sender-ID check. A typical reply quoted here, some information has been masked to protect from spam spider:

This message is an automatic response from Port25’s authentication verifier service at verifier.port25.com. The service allows email senders to perform a simple check of various sender authentication mechanisms. It is provided free of charge, in the hope that it is useful to the email community. While it is not officially supported, we welcome any feedback you may have at .

Thank you for using the verifier,

The Port25 Solutions, Inc. team

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: pass

==========================================================
Details:
==========================================================

HELO hostname: host.techjourney.net
Source IP: 75.127.69.98
mail-from: xxxxx@xxxxxxx.xxx

———————————————————-
SPF check details:
———————————————————-
Result: pass
ID(s) verified: smtp.mail=xxxxx@xxxxxxx.xxx
DNS record(s):
techjourney.net. 3600 IN TXT “v=spf1 ip4:75.127.69.98 mx a:host.techjourney.net mx:techjourney.net ~all”

———————————————————-
DomainKeys check details:
———————————————————-
Result: neutral (message not signed)
ID(s) verified: header.From=xxxxx@xxxxxxx.xxx
DNS record(s):

———————————————————-
DKIM check details:
———————————————————-
Result: neutral (message not signed)
ID(s) verified:
DNS record(s):

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions. If you are using Port25’s PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

———————————————————-
Sender-ID check details:
———————————————————-
Result: pass
ID(s) verified: header.From=xxxxx@xxxxxxx.xxx
DNS record(s):
techjourney.net. 3600 IN TXT “v=spf1 ip4:75.127.69.98 mx a:host.techjourney.net mx:techjourney.net ~all”

Return Path also provides a SenderID Test similar to above email verification service, except that the it uses one time random email address that you suppose to send to, auto-generated when you visit the website (no longer available), and validator won’t automatically reply to your email with validation report. Instead, webmasters will need to enter their email address on the box provided on the same web page to get the results.

If you need to set up SPF record for your domain, check out this SPF guide.

About the Author:

LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years. Connect with LK through Tech Journey on Facebook, Twitter or Google+.

Pin It on Pinterest

Share This

Share This

Share this post with your friends!