How healthy is the SPF deployment of the Tranco top-1M? This dashboard inspects every
v=spf1 record we observed, then breaks them down by enforcement strictness
(-all / ~all / …), DNS lookup count vs the RFC 7208 cap of 10,
the mechanism mix (modern includes vs legacy IP ranges) and record length. The final
cross-tab shows which ESPs nudge their customers toward strict SPF.
-all (strict)~all (soft fail)PermErr (≥11 lookups)+all (dangerous)all qualifierRFC 7208 §5.1 default qualifier is +. Best practice is
-all (hard fail) or ~all (soft fail). +all
accepts any sender — operationally equivalent to publishing no SPF at all and is
trivially abusable.
Counts top-level lookup mechanisms (include,
redirect, a, mx, exists,
ptr). Records with ≥11 will return PermErr and are
effectively broken. Note: this is a lower bound — nested includes are not recursed,
so real-world breakage is even higher.
includes-only: outsourced sending (the modern, easy-to-update
pattern). ip-only: legacy hand-curated IP ranges. mixed: combination.
passthrough: +all with no real mechanisms — accepts everyone.
A single TXT chunk is limited to 255 bytes — longer records are sent as multiple chunks concatenated. Records over ~450 bytes are at risk of resolver fragmentation issues.
| Percentile | Bytes |
|---|
For each top ESP, the share of customer SPF records that use each
all qualifier. Higher -all share suggests the ESP nudges
customers toward strict SPF; higher ~all share is the typical
conservative default.
| ESP | Customers | -all | ~all | ?all | +all | no-all |
|---|
Source: OpenINTEL forward-DNS Tranco snapshot (2026-07-13).
Parser: parsers/spf_health.py. ESP join uses
dictionaries/esps.py. Lookup-counting is intentionally non-recursive —
the figures reported here are a lower bound, so real-world PermErr
prevalence is at least the value shown.