Email spoofing — forging the "From" address to impersonate a trusted sender — remains one of the most common attack vectors on the internet. Two DNS-based standards help receiving mail servers decide whether an incoming message is legitimate: SPF and DMARC.
SPF is a TXT record that lists which IP addresses and mail servers are authorised to send email on behalf of your domain. When a receiving server gets a message claiming to be from you@example.com, it checks whether the sending server's IP appears in your SPF record.
DMARC builds on SPF and DKIM. It tells receiving servers what to do when authentication fails (nothing, quarantine, or reject) and where to send aggregate reports about failures. A typical DMARC record looks like:
Without both SPF and DMARC properly configured, anyone can send email that appears to come from your domain — damaging your reputation and enabling phishing against your customers.
Both SPF and DMARC are published as DNS TXT records. You can query them with dig, nslookup, or an online domain lookup tool like ip-tracker.online.
SPF records are published at the root of your domain (or occasionally at a subdomain). Look for a TXT record starting with v=spf1.
DMARC records are always at _dmarc.yourdomain.com. Look for a TXT record starting with v=DMARC1.
Google maintains industry-standard email authentication. A lookup of google.com reveals:
The SPF record uses include:_spf.google.com to delegate authorised senders to a shared Google SPF list. The ~all mechanism means "soft fail" for servers not in the list. DMARC uses p=reject, the strictest policy — unauthenticated mail claiming to be from Google should be rejected outright.
| SPF Mechanism | Meaning |
|---|---|
| ip4:1.2.3.4 | Allow this IPv4 address |
| include:spf.example.com | Include another domain's SPF |
| a mx | Allow domain's A and MX records |
| -all | Hard fail — reject unauthorised senders |
| ~all | Soft fail — mark as suspicious |
| ?all | Neutral — no policy |
Even experienced administrators make mistakes with email authentication. Here are the issues we see most often when auditing domains:
A domain must have exactly one SPF TXT record. If you publish two records starting with v=spf1, SPF evaluation fails entirely — which means SPF provides no protection. Merge all authorised senders into a single record using include: mechanisms.
SPF evaluation is limited to 10 DNS lookups (includes, a, mx, redirect, etc.). Exceeding this limit causes a permanent error. Flatten your SPF record or use an SPF flattening service if you send through many third-party platforms (Mailchimp, Salesforce, Zendesk, etc.).
SPF alone does not prevent spoofing — it only helps receiving servers evaluate the sending IP. Without DMARC, there is no policy telling receivers what to do with failures, and no reporting to alert you when someone impersonates your domain.
Many organisations deploy DMARC with p=none for monitoring, then never graduate to p=quarantine or p=reject. Monitoring-only DMARC collects reports but does not protect recipients from spoofed mail.
DMARC requires alignment — the "From" domain must match the domain used in SPF or DKIM. A message can pass SPF for a mailing service domain while failing DMARC because the visible "From" header shows your domain. This is a frequent cause of legitimate mail being rejected after tightening DMARC policy.
You can verify SPF and DMARC manually with command-line DNS tools, but a domain lookup on ip-tracker.online consolidates TXT records, highlights SPF/DMARC status, and shows related DNS configuration in one view. Here is a practical workflow:
For domains you manage, run this check after every DNS change involving email — adding a new marketing platform, migrating to Google Workspace or Microsoft 365, or onboarding a transactional email provider like SendGrid or Amazon SES.
Create a TXT record at your domain root. Start conservatively:
Replace the include with your actual mail provider's SPF documentation.
Add a TXT record at _dmarc.yourdomain.com. Start with monitoring:
After two to four weeks of reviewing aggregate reports and fixing alignment issues, move to p=quarantine, then p=reject.
Combine them in one SPF record:
Count your DNS lookups — if you approach 10, consider SPF flattening or removing unused includes.
DNS changes can take minutes to 48 hours to propagate globally. After updating SPF or DMARC:
Email authentication is not a one-time setup. Re-verify whenever you add a new sending service, change DNS providers, or acquire a domain that previously sent mail through different infrastructure.
Check SPF and DMARC for any domain
Free domain lookup with TXT records, SPF/DMARC status, MX, DNS, and SSL — instant results.
Open IP & Domain Tracker →