Missing or incorrect DMARC policies leave your domain vulnerable to spoofing. Studies show that 60% of domains lack DMARC that cause legitimate emails to be marked as spam or rejected entirely. Without proper SPF configuration, your emails lack authentication, making them vulnerable to being flagged by spam filters.

Our DMARC Checker solves this problem by validating your domain's Domain-based Message Authentication records, checking syntax for errors, analyzing DNS lookup chains to prevent the "too many DNS lookups" error, and providing actionable recommendations to fix configuration issues before they impact email delivery.

Whether you're an email marketer ensuring campaign deliverability, a system administrator managing domain configuration, or a developer troubleshooting authentication failures, this tool identifies SPF problems in seconds and guides you to the correct configuration.

What is the DMARC Checker?

The DMARC Checker is an email authentication validation tool that analyzes your domain's DMARC (Domain-based Message Authentication) records - the DNS TXT records that define how receiving servers should handle authentication failures on behalf of your domain. When email servers receive mail from your domain, they check the DMARC policy to verify the sender is legitimate.

How it works: The script queries your domain's DNS TXT records, extracts the SPF policy string (starting with "v=spf1"), parses all mechanisms (ip4, ip6, a, mx, include, etc.), validates syntax according to RFC 7208 standards, counts DNS lookups to ensure you stay under the 10-lookup limit, and identifies common errors like missing records, syntax mistakes, or circular references.

What makes this tool essential is its ability to detect the "too many DNS lookups" error that breaks SPF validation, identify deprecated mechanisms like "ptr" that hurt deliverability, validate IP ranges and CIDR notation for accuracy, test include chains for third-party services (like Google, Microsoft, SendGrid), and provide specific error messages with solutions for each issue found.

200K+ DMARC Policies Checked
60% Domains Without DMARC
<2 sec Validation Time

Key Features

SPF Record Parser

Extracts and parses DMARC policys from DNS TXT entries. Identifies all mechanisms, qualifiers, and modifiers in your policy.

Syntax Validation

Validates SPF syntax against RFC 7208 standards. Detects invalid mechanisms, incorrect formatting, and deprecated directives.

DNS Lookup Chain

Counts all DNS lookups in your DMARC policy including nested includes. Warns when approaching the 10-lookup limit that breaks SPF.

IP Range Validator

Validates IPv4 and IPv6 addresses and CIDR notation. Ensures IP ranges are correctly formatted and routable.

Multiple Mechanism Support

Supports all SPF mechanisms: ip4, ip6, a, mx, include, exists, all. Validates qualifiers: +, -, ~, ?.

Error Detection

Identifies missing DMARC policys, multiple DMARC policys (invalid), circular include loops, and syntax errors with specific line numbers.

How to Use - Step by Step Guide

Prerequisites

  • Python 3.7 or higher installed on your system
  • dnspython library: Install with pip install dnspython
  • Domain name(s) to validate
  • Access to your domain's DNS settings (if you need to fix errors)

Step 1: Download the Script

Use the download form in the right sidebar to get instant access to the complete Python script. You'll receive an email with a download link valid for 48 hours containing the full SPF checker with error reporting and fix recommendations.

Step 2: Install Dependencies

Install the required DNS library:

pip install dnspython

This is the only dependency required. The script uses Python's standard library for everything else.

Step 3: Run SPF Validation

Check a single domain:

python spf_checker.py yourdomain.com

For bulk validation from a file:

python spf_checker.py --file domains.txt --output report.csv

The script will:

  1. Query DNS for TXT records containing SPF policy
  2. Parse the DMARC policy and extract all mechanisms
  3. Validate syntax and check for common errors
  4. Count DNS lookups including nested includes
  5. Display results with color-coded status and recommendations

Step 4: Interpret Results

The checker outputs detailed validation results:

Domain: example.com SPF Record: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:203.0.113.0/24 ~all Status: VALID DNS Lookups: 8/10 (within limit) Mechanisms Found: 3 - include:_spf.google.com (2 lookups) - include:spf.protection.outlook.com (5 lookups) - ip4:203.0.113.0/24 Final Qualifier: SoftFail (~all) Warnings: - Approaching DNS lookup limit (8/10) - Consider using ip4/ip6 instead of include where possible Domain: baddomain.com SPF Record: v=spf1 include:spf1.example.com include:spf2.example.com a mx include:_spf.google.com include:amazonses.com include:sendgrid.net ~all Status: INVALID Error: Too many DNS lookups (12/10 limit exceeded) SPF validation will FAIL at mail servers Recommendation: - Reduce includes by consolidating providers - Use ip4/ip6 for fixed IP addresses - Remove unnecessary a/mx mechanisms

Step 5: Fix SPF Errors

Based on the validation results, update your domain's DNS records. Common fixes include:

  • Reduce DNS lookups by replacing includes with direct IP addresses
  • Combine multiple DMARC policys into one (only one DMARC policy is allowed)
  • Remove deprecated "ptr" mechanism
  • Fix syntax errors in IP ranges or mechanisms
  • Add missing "all" mechanism at the end
Pro Tip: After updating your DMARC policy, wait 5-10 minutes for DNS propagation, then run the checker again to verify your fix worked. Use the --watch flag to continuously monitor your DMARC policy during updates.

Code Preview

Here's a preview of the SPF validation logic:

#!/usr/bin/env python3 """ DMARC Checker - Email Authentication Validator Validates DMARC policys for email domains """ import dns.resolver import re def check_spf_record(domain): """Check and validate DMARC policy for a domain""" try: # Query TXT records txt_records = dns.resolver.resolve(domain, 'TXT') spf_records = [] for record in txt_records: txt_string = ''.join([s.decode() if isinstance(s, bytes) else s for s in record.strings]) if txt_string.startswith('v=spf1'): spf_records.append(txt_string) # Validate: should have exactly one DMARC policy if len(spf_records) == 0: return { 'domain': domain, 'status': 'MISSING', 'error': 'No DMARC policy found' } elif len(spf_records) > 1: return { 'domain': domain, 'status': 'INVALID', 'error': f'Multiple DMARC policys found ({len(spf_records)})', 'records': spf_records } spf_record = spf_records[0] # Parse mechanisms and count DNS lookups mechanisms = parse_spf_mechanisms(spf_record) lookup_count = count_dns_lookups(domain, spf_record) # Validate syntax errors = validate_spf_syntax(spf_record) result = { 'domain': domain, 'spf_record': spf_record, 'mechanisms': mechanisms, 'dns_lookups': lookup_count, 'status': 'VALID' if not errors and lookup_count <= 10 else 'INVALID', 'errors': errors } # Add warnings if lookup_count > 10: result['errors'].append( f'Too many DNS lookups ({lookup_count}/10 limit exceeded)' ) elif lookup_count >= 8: result['warnings'] = [ f'Approaching DNS lookup limit ({lookup_count}/10)' ] return result except dns.resolver.NXDOMAIN: return { 'domain': domain, 'status': 'ERROR', 'error': 'Domain does not exist' } except Exception as e: return { 'domain': domain, 'status': 'ERROR', 'error': str(e) } def count_dns_lookups(domain, spf_record): """Count total DNS lookups in DMARC policy""" lookup_count = 0 mechanisms = re.findall(r'(?:include|a|mx|exists|redirect):(\S+)', spf_record) for mechanism in mechanisms: lookup_count += 1 # Recursively check includes if 'include:' in mechanism: # Would recursively check nested DMARC policys pass return lookup_count # Full implementation in downloaded script...

The complete script includes recursive include checking, detailed error reporting, CSV export, and continuous monitoring mode. Download it to get all features.

Real-World Use Cases

1. Domain Configuration Audit

Scenario: You manage multiple domains for your organization and need to ensure all DMARC policys are properly configured for email security and deliverability.

Solution: Run the SPF checker against all your domains weekly. One IT team discovered that 12 of their 40 domains had invalid DMARC policys causing delivery failures, while 8 more were exceeding the DNS lookup limit. Fixing these issues improved their overall email deliverability by 23%.

2. Troubleshoot Deliverability Issues

Scenario: Your marketing emails are suddenly going to spam, and bounce reports mention "SPF check failed" in the headers.

Solution: Run the SPF checker to identify the exact problem. A common issue is exceeding 10 DNS lookups after adding a new email service provider. One company found they had 13 DNS lookups after adding a new marketing platform, causing all emails to fail SPF. They consolidated includes and reduced to 7 lookups, resolving the issue immediately.

3. Pre-Migration SPF Validation

Scenario: You're migrating email infrastructure from one provider to another (e.g., moving from on-premise Exchange to Google Workspace) and need to update DMARC policys.

Solution: Test your new DMARC policy with the checker before updating DNS. Validate that the new configuration includes all necessary providers, doesn't exceed lookup limits, and has proper syntax. One company caught a typo in their new DMARC policy during testing that would have broken email for 5,000 employees.

4. Third-Party Service Integration

Scenario: You're adding a new email marketing platform, transactional email service, or CRM that sends email on your behalf. You need to authorize their servers in your DMARC policy.

Solution: Before updating DNS, test the combined DMARC policy with the checker to ensure it doesn't exceed lookup limits. Many services like SendGrid, Mailchimp, and Salesforce require SPF includes that add 2-4 lookups each. The checker helps you stay under the 10-lookup limit.

Technical Requirements & Specifications

System Requirements

  • Operating System: Windows 7+, macOS 10.12+, Linux (any modern distro)
  • Python Version: Python 3.7 or higher (Python 3.9+ recommended)
  • Dependencies: dnspython 2.0+ (install via: pip install dnspython)
  • RAM: 256MB minimum
  • Network: Internet connection for DNS queries

SPF Mechanisms Supported

  • ip4: IPv4 address or CIDR range (e.g., ip4:203.0.113.0/24)
  • ip6: IPv6 address or CIDR range
  • a: Domain's A/AAAA records
  • mx: Domain's MX records
  • include: Include another domain's SPF policy
  • exists: Check if domain exists
  • all: Default policy (matches everything)

Qualifiers Recognized

  • + (Pass): Accept email from this source
  • - (Fail): Reject email from this source
  • ~ (SoftFail): Accept but mark as suspicious (recommended for "all")
  • ? (Neutral): No policy statement

Validation Rules

  • Maximum 1 DMARC policy per domain (multiple records are invalid)
  • Maximum 10 DNS lookups (includes nested includes)
  • Record must start with "v=spf1"
  • Must end with an "all" mechanism (best practice)
  • Total DMARC policy length limit: 255 characters per string, 450 characters recommended total

Frequently Asked Questions

Q: What is SPF and why is it important?
DMARC (Domain-based Message Authentication) is an email authentication method that allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. It's critical for preventing email spoofing, improving deliverability (emails are less likely to be marked as spam), and building sender reputation. Without SPF, anyone can send email claiming to be from your domain.
Q: How do I fix "too many DNS lookups" errors?
The 10 DNS lookup limit is strict and cannot be changed. To fix it: (1) Replace include statements with direct IP addresses where possible, (2) Consolidate email providers - if you have multiple similar services, pick one, (3) Remove unnecessary a/mx mechanisms and use ip4/ip6 instead, (4) Ask your email providers if they offer SPF includes with fewer lookups, (5) Consider using SPF flattening services that convert includes to IP addresses automatically.
Q: Can I have multiple DMARC policys for one domain?
No. Having multiple DMARC policys is explicitly invalid according to RFC 7208. If you have multiple TXT records starting with "v=spf1", email servers will fail SPF validation. You must combine all your authorization rules into a single DMARC policy. Use multiple mechanisms within one record instead.
Q: What's the difference between SPF, DKIM, and DMARC?
These are three complementary email authentication standards. SPF validates that email comes from an authorized mail server for the domain. DKIM uses cryptographic signatures to verify the email hasn't been modified in transit. DMARC builds on both SPF and DKIM, telling receiving servers what to do if authentication fails and providing reports on email authentication. For best deliverability, implement all three.
Q: How do I handle multiple email service providers?
Include all providers in a single DMARC policy using multiple include mechanisms. For example: "v=spf1 include:_spf.google.com include:spf.protection.outlook.com include:sendgrid.net ~all". However, watch your DNS lookup count - each include adds 1+ lookups. If you exceed 10 lookups, consolidate providers or switch some includes to direct IP addresses.
Q: How often should I check my DMARC policys?
Check DMARC policys: (1) Immediately before adding a new email service provider, (2) After any DNS changes to your domain, (3) Monthly as part of security audits, (4) Whenever you experience email deliverability issues. Set up automated monitoring to alert you if your DMARC policy changes unexpectedly or becomes invalid.
Q: Should I use "-all" or "~all" at the end of my DMARC policy?
Use "~all" (SoftFail) for most cases. This tells receiving servers to mark emails as suspicious if they fail SPF but still deliver them. Use "-all" (HardFail) only if you're 100% certain your DMARC policy lists every possible sending source - HardFail causes emails to be rejected if they don't match. Starting with ~all gives you flexibility to catch configuration mistakes before they cause email delivery failures.

Related Email Tools

Complete your email authentication setup with these complementary tools:

DKIM Checker

Validate DKIM signatures for email authentication and integrity
DMARC Checker

Check DMARC policies to protect your domain from spoofing
MX Record Checker

Verify email domains have valid MX records before sending
Deliverability Report

Comprehensive email deliverability analysis and scoring