Checking an SPF record with the Kitterman SPF Validator

If you received an email message in your Gmail inbox, Google provides easy-to-read authentication results, showing you if the email message in question properly passed SPF authentication.

But what if you want to check a proposed SPF record, a potential change, to see if it is going to work, before implementing it in DNS? Here's how I do that.

DNS consultant and smart guy Scott Kitterman has a useful-and-simple page of tools for SPF Querying and Validation. Go to this page. Scroll down to "Test an SPF record." Fill out the form, submit it, and his checking tool will tell you if the proposed SPF record passes validation.

Let's do this with my domain. I want to test this as a potential SPF record: v=spf1 ip6:2607:f2f8:a760::2 ip4: ip4: ip4: ip4: ip4: ~all

I'm going to use as my sending IP address, it's my primary email server currently.

For the MAIL FROM address, I put in the return-path (MFROM) address that my mailing list uses. For the HELO address, I put in what I think my server's name is from its mail software configuration. (If you're not sure, just put in bounce@(domain) in Mail From, and (domain) in HELO Address. If I had done that here, it would be and

Then hit the "Test SPF Record" button and you'll get a response something like this one:

The important bit we're looking for here is "Results - PASS sender SPF authorized." That tells us that this SPF record is correct, and that mail with a message from of will properly authenticate when sent from IP address, if I were to implement this SPF record in DNS.

If I was getting an error or I had typo'd something, I could hit the "back" button in my browser, make corrects, and test again.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.