Top 7 SPF Check Tools Compared 2026

SPF records break in subtle ways. A missing DNS lookup, a circular include chain, or an empty third-party record can silently cause email authentication failures, and most checkers won't tell you. We ran the same problematic domain through 7 SPF check tools to see which ones surface the issues that actually matter.

 

The Test Domain

We used dmarcdkimspf.com, a domain with a deliberately complex, broken SPF record containing:

• A circular reference (dmarcdkimspf.com → _spf.dmarcdkimspf.com → dmarcdkimspf.com)

• An empty/hollow include (include:empty:dmarcdkimspf.com, a syntactically invalid domain that resolves to nothing)

• Duplicate nested rules (e.g., spf.protection.outlook.com included twice)

• 17 DNS lookups, well over the RFC 7208 limit of 10 requests

• Syntax errors in the include chain

This is a realistic scenario for any organization that has added multiple email vendors over time without auditing their SPF.

 

Evaluation Criteria

Criterion	What we looked for
Circular reference detection	Does it identify when an SPF include loops back to itself?
Empty/hollow include detection	Does it flag includes resolving to no SPF record or with broken syntax?
Duplicate nested rules	Does it surface redundant mechanisms across the include tree?
10 DNS lookup limit	Does it count DNS lookups and warn when the limit is exceeded?
Syntax check	Does it validate SPF mechanism syntax and give actionable errors?
Include tree visualization	Can you see the full resolved include hierarchy?

 

Results

 

1. DmarcDkim.com SPF Check Tool

URL: https://dmarcdkim.com/tools/check-spf-record

DmarcDkim.com detected every problem in our test domain and explained each one clearly.

The SPF Tree expands recursively to show every included domain with per-node DNS request counts. Circular references are flagged inline with a danger badge right on the offending node (include:dmarcdkimspf.com labeled as circular). The empty include (include:empty:dmarcdkimspf.com) is caught and reported as a syntax error with a specific message: "Invalid domain for include: empty:dmarcdkimspf.com". Duplicate mechanisms across the tree are highlighted with warning icons on each repeated node. The DNS request counter shows 17/10 with a red progress bar and a "DNS Limit Exceeded" banner at the bottom of the tree.

The Summary panel gives an at-a-glance pass/fail breakdown across four checks, multiple SPF records, circular references, syntax errors, and DNS request count, before you even open the tree.

The Performance section shows IPv4/IPv6 rule counts and total authorized IP ranges (173 IPv4 rules, 10 IPv6 rules, 1,190,018 IPv4 addresses allowed), useful for auditing over-permissive records.

Criterion	Result
Circular reference detection	✅ Yes, labeled inline on the tree node with danger badge
Empty/hollow include detection	✅ Yes, flagged as syntax error with specific message
Duplicate nested rules	✅ Yes, warning badges on every duplicate node
10 DNS lookup limit	✅ Yes, 17/10 with red progress bar + "DNS Limit Exceeded" banner
Syntax check	✅ Yes, specific actionable error messages per mechanism
Include tree visualization	✅ Yes, full recursive tree, collapsible, numbered, with expand/collapse all

Verdict: The most complete SPF checker available as a free tool. It's the only one that catches all six criteria and presents them in a single, scannable view without requiring a signup.

 

2. MXToolbox SPF Record Lookup

URL: https://mxtoolbox.com/spf.aspx

MXToolbox is the most widely used email diagnostic tool in the industry. It correctly flagged a "Syntax Error" on the invalid include mechanism and presented the raw record in a clean table with Prefix / Type / Value / Description / Error columns.

However, it stops at the surface level. MXToolbox does not expand the include tree, showing only the top-level mechanisms of the queried domain. This means circular references inside nested includes, empty includes, and duplicate rules across the include chain are invisible. The DNS lookup count is not calculated or displayed. The test results table checks for six basic conditions (record published, deprecated records, multiple records, characters after ALL, DMARC published, DMARC policy), none of which are the deep SPF problems.

For the most widely deployed tool in the space, this is a blind spot.

Criterion	Result
Circular reference detection	❌ No
Empty/hollow include detection	⚠️ Partial, flagged as "Syntax Error" on the top-level record only
Duplicate nested rules	❌ No
10 DNS lookup limit	❌ No, not calculated
Syntax check	✅ Yes, surface-level syntax check with error column
Include tree visualization	❌ No, top-level mechanisms only

Verdict: Good for quick surface checks and well-known by recipients of email reports. Not suitable for diagnosing complex SPF configurations.

 

3. Dmarcian SPF Surveyor

URL: https://dmarcian.com/spf-survey/

Dmarcian's SPF Surveyor is a deep-analysis tool with one important limitation on circular references. It does not stop on a circular loop; instead it unrolls the include chain repeatedly until it hits its own 50-include processing cap, reporting 51 DNS lookups in total. A true circular reference detector would halt at the first loop and report 16-18 lookups; hitting 51 means Dmarcian followed the cycle through dozens of iterations without recognizing it as a loop.

The "Warning! The target name for 'include:X' equals an already evaluated include mechanism" message is better understood as a duplicate include warning; it fires when the same domain appears more than once across the unrolled tree, not as a dedicated loop-detection signal. Duplicate netblocks are also collected into a dedicated "Duplicate netblock authorization" table listing each duplicated CIDR with an occurrence count (e.g., 40.92.0.0/15 appearing 13 times).

The empty include is flagged as an Error with a clear message about invalid domain spec expansion. The interface is dense and text-heavy, built for email security practitioners, not general users. There are no visual badges or summary cards; you have to read through the tree output to understand the severity.

Criterion	Result
Circular reference detection	❌ No, unrolls loop to 50-include cap rather than halting it
Empty/hollow include detection	✅ Yes, Error with specific message about invalid domain expansion
Duplicate nested rules	✅ Yes, "already evaluated" warning + dedicated duplicate netblock table
10 DNS lookup limit	✅ Yes, shows 51/10, stops processing at 50 includes
Syntax check	✅ Yes, per-mechanism error and warning messages
Include tree visualization	✅ Yes, clickable expanding tree with raw record shown per node

Verdict: Good technical depth for most SPF issues, with one blind spot: it cannot identify a true circular reference. It will exhaust its processing budget following the loop instead of halting and naming it. UI requires patience to parse.

 

4. EasyDMARC SPF Checker

URL: https://easydmarc.com/tools/spf-lookup

EasyDMARC returned an "Invalid" Record Status with a DNS lookup count and an expandable include tree. It detected that the record has problems and rendered the hierarchy. However, its diagnostics are less specific than DmarcDkim.com or Dmarcian.

The circular reference is not explicitly labeled - it shows repeated includes in the tree but doesn't call out the loop as circular. The empty include is visible as a malformed mechanism in the tree but without a prominent callout or distinct error category. Duplicate detection is not surfaced as a dedicated check. DNS count is shown. The tool also prompts for an email address to get a "Full Domain Health Report," which gates some analysis behind a signup flow.

EasyDMARC is part of a large platform, but the standalone SPF checker doesn't go as deep as the dedicated tools.

Criterion	Result
Circular reference detection	⚠️ Partial, repeated includes visible in tree, not labeled as circular
Empty/hollow include detection	⚠️ Partial, visible in tree output, no prominent error callout
Duplicate nested rules	❌ Not explicitly surfaced
10 DNS lookup limit	✅ Yes, lookup count displayed
Syntax check	✅ Yes, Invalid status shown
Include tree visualization	✅ Yes, expandable include tree

Verdict: Solid mid-tier tool. Works well for general validation but misses the nuance needed to diagnose complex records.

 

5. Mailhardener SPF Validator

URL: https://www.mailhardener.com/tools/spf-validator

Mailhardener's SPF validator returned "Record is not valid: One or more included SPF records contain problems" with a hint to use the policy details to find the problematic term. It then rendered a deeply detailed per-include breakdown: each included domain gets its own record detail section showing the raw TXT record, validation status, DNS lookup count for that branch, and any errors.

The tool validates against RFC 7208 strictly and surfaces errors at every level of the include chain. Circular references appear as repeated entries in the unrolled tree. Empty includes and syntax errors are flagged per-node. DNS lookup counts are accumulated and shown. The interface is functional but minimal, with dense data tables rather than visual tree diagrams with badges or summary cards.

Finding all issues requires scrolling through the full expanded tree; there's no top-level summary that collects all errors in one place.

Criterion	Result
Circular reference detection	✅ Yes, visible through repeated chain entries in tree
Empty/hollow include detection	✅ Yes, flagged in include detail sections
Duplicate nested rules	⚠️ Partial, visible in tree, not deduplicated or summarized
10 DNS lookup limit	✅ Yes, per-include and cumulative lookup counts shown
Syntax check	✅ Yes, RFC 7208 level validation with per-mechanism errors
Include tree visualization	✅ Yes, deep per-include detail sections

Verdict: Technically thorough and RFC-accurate. Best for security practitioners who want to read raw validation data. Lacks UX clarity to quickly triage issues.

 

6. Valimail Domain Checker

URL: https://www.valimail.com/domain-checker/

Valimail's free tool is a domain health checker covering DMARC, SPF, and BIMI, not a dedicated SPF-only inspector. After entering dmarcdkimspf.com, the results page showed a clear top-level verdict: "Your domain is not protected!" with three status indicators: DMARC at Enforcement (green), SPF Record Misconfigured (red), and Not BIMI Ready (red).

The SPF Results section surfaces several specific issues: the circular reference is flagged as "your SPF record is creating a referential loop which may cause some or all of your messages to fail to authenticate"; the empty include is identified as including a domain with no SPF record configured; and one included netblock is flagged as overly permissive (52.100.0.0/15).

What it does not provide: there is no include tree visualization, no DNS lookup count, and no duplicate mechanism detection. The issues list is short and plain-English. For deep SPF diagnosis it lacks the depth of dedicated tools.

Criterion	Result
Circular reference detection	✅ Yes, flagged as a referential loop in plain English
Empty/hollow include detection	✅ Yes, identified as domain with no SPF record
Duplicate nested rules	❌ No, not detected or surfaced
10 DNS lookup limit	❌ No, lookup count not shown
Syntax check	✅ Yes, invalid include mechanism caught
Include tree visualization	❌ No, summary list only, no tree

Verdict: Good for a quick health check across DMARC, SPF, and BIMI together. Not suitable for deep SPF diagnosis; it identifies that problems exist but not their full scope.

 

7. Red Sift SPF Checker

URL: https://redsift.com/tools/spf-checker

Red Sift's SPF Checker delivered strong diagnostic depth. The SPF Overview panel shows six metrics at a glance: SPF: Evaluation Failed, Failure Mode: Soft Fail (~all), SPF Lookups: 17/10 (6 Main, 11 Nested), Authorized Subnets, Void Lookups, and Total Authorized IPv4 Addresses.

Beneath the overview, three distinct issue cards appear:

1. SPF Lookup Limit Exceeded, 17/10 with a "Highlight in SPF Tree" button

2. Infinite Recursion Detected, circular reference flagged with a link to highlight the offending nodes in the tree

3. Syntax, "Error: invalid domain name: empty:dmarcdkimspf.com" with the exact value shown

The SPF tree visualization renders all top-level mechanisms with expandable nodes, Expand All / Collapse All controls, and per-node authorized IP counts. Duplicate includes (spf.protection.outlook.com appearing twice) are visible in the tree, though there is no automated duplicate-detection and one would need to examine this case manually.

Identified email services are also surfaced (SendGrid, Microsoft Office 365), making it easy to see which third-party senders are authorized.

Criterion	Result
Circular reference detection	✅ Yes, "Infinite Recursion Detected" card with tree highlight
Empty/hollow include detection	✅ Yes, syntax error card with exact invalid domain value
Duplicate nested rules	⚠️ Partial, visible in tree, no dedicated duplicate callout
10 DNS lookup limit	✅ Yes, 17/10 shown in overview + dedicated issue card
Syntax check	✅ Yes, per-mechanism error with exact value
Include tree visualization	✅ Yes, expandable tree with per-node IP counts

Verdict: One of the strongest free SPF checkers available. Clean overview metrics, dedicated issue cards with tree-highlight links, and a full expandable tree make it fast to triage complex records. Duplicate detection is the only gap.

 

Full Comparison Table

Tool	Circular Refs	Empty Includes	Duplicates	DNS Limit	Syntax	Tree
DmarcDkim.com	✅	✅	✅	✅	✅	✅
Dmarcian	❌	✅	✅	✅	✅	✅
Red Sift	✅	✅	⚠️	✅	✅	✅
Mailhardener	✅	✅	⚠️	✅	✅	✅
EasyDMARC	⚠️	⚠️	❌	✅	✅	✅
Valimail	✅	✅	❌	❌	✅	❌
MXToolbox	❌	⚠️	❌	❌	✅	❌

 

Key Takeaways

DmarcDkim.com is the only tool that reliably surfaces all six problem categories. Numbered tree nodes, inline badges for each issue type, an at-a-glance summary card, and a DNS progress bar make it the fastest to read, even for deeply nested records.

Red Sift comes close, catching circular references, empty includes, DNS limit, and syntax errors with dedicated issue cards and a full SPF tree. The only gap is duplicate mechanism detection, which is visible in the tree for manual evaluation which is practically impossible.

Dmarcian has good technical depth but a notable blind spot: it does not detect circular references. Instead of halting at the loop, it follows the cycle until its 50-include processing cap, reporting 51 lookups. This means a domain with a circular include chain will appear to have an extreme DNS lookup count problem rather than a loop problem; the root cause is obscured.

Mailhardener is technically thorough but requires more effort to parse results. It's best suited to practitioners comfortable reading raw DNS validation data.

Valimail is best used as a domain health overview tool rather than a deep SPF debugger. It correctly identifies that SPF problems exist and names the circular reference and empty include, but without a lookup count or include tree it can't show you the full scope of the issues.

EasyDMARC is a capable mid-tier tool that works well for organizations that want a single platform for DMARC, SPF, and DKIM. The standalone SPF checker is adequate for simple records but misses detail on complex ones.

MXToolbox remains the most-visited tool in the space by name recognition, but its SPF checker is surface-level. It gives you confidence on simple records but will miss the problems that actually cause delivery failures at scale.

The fundamental problem with SPF checkers is that SPF failures are almost always caused by what's inside the includes, not the top-level record itself. A tool that only shows you the first level of your SPF record gives you a false sense of security. Every organization with more than two email vendors should use a tool that resolves and validates the full include chain.

 

Methodology

Tested against a deliberately broken domain: dmarcdkimspf.com. Each tool was accessed via its public free-tier URL with no account login. The domain was entered into each tool's input field and results were captured after page load. Evaluation was based solely on the information displayed in the tool's output.