Zum Inhalt springen
POST AI agent ready /v1/dns-security/spf-check

SPF Check API - Parse Mechanisms and All Policy

Fetches TXT records for the domain and selects the one starting with v=spf1. Parses each mechanism (ip4, ip6, a, mx, include, all, etc.) with its qualifier (+, -, ~, ?). Returns the raw record, the parsed mechanisms, the resolved all-policy, and the list of include targets.

Parameters

stringrequired

Domain to check.

Code examples

curl -X POST https://api.botoi.com/v1/dns-security/spf-check \
  -H "Content-Type: application/json" \
  -d '{"domain":"stripe.com"}'

When to use this API

Harden your SPF policy from ~all to -all

Check your production domain with this endpoint. If all_policy is ~all (softfail), you are still leaking legitimacy to spoofers. Tighten to -all (hardfail) only after confirming all legitimate senders are in your include list.

Audit third-party senders

Every include adds a DNS lookup budget under the 10-lookup SPF limit. List your includes and verify each one still represents an active sender; remove stale includes (old ESPs, deprecated services).

Pre-flight for email migrations

When switching email providers (Google Workspace to M365), confirm the old include is removed and the new one is added before flipping DNS. Prevents the 24-hour window where both providers partially pass SPF.

Frequently asked questions

What does the qualifier mean?
+ (default) = pass; - = hardfail; ~ = softfail; ? = neutral. Qualifiers on individual mechanisms allow fine-grained control, though most setups use default + on includes and a trailing all.
What is the SPF 10-lookup limit?
SPF allows a maximum of 10 DNS lookups during evaluation. Each include, a, mx, exists, and redirect mechanism counts. Exceeding the limit causes a permerror, which major mail providers treat as a fail. Audit via the includes array.
Why does has_spf return false when I have a TXT record?
The record must start with "v=spf1". TXT records for domain verification, DMARC, DKIM, or site ownership don't count. Only one SPF record per domain is valid.
What should all_policy be?
-all (hardfail) is the strongest and recommended. ~all (softfail) is acceptable during an SPF migration. +all (pass all) is actively harmful and should never be published.
Does this follow include: chains?
No. The endpoint returns the declared includes only; it does not recursively resolve each include's own SPF record. For full lookup-count analysis, run each include through this endpoint in sequence.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs