spf record 2

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are the three key pillars of email security and authentication. They offer two main benefits- 

  1. Prevent spam, phishing, and spoofing attacks attempted using your domain name or mail server.
  2. Improve email deliverability by ensuring that all genuine emails sent using your domain name land in the primary inboxes of recipients. This boosts the performance of email marketing and PR campaigns

As much as these protocols act as the backbone of a company’s domain, they are also susceptible to errors. This content focuses on understanding the number of errors that pop up during an SPF check and ways to resolve them. 

spf fail temperror

Image sourced from fastercapital.com

Types of SPF Errors

An SPF record includes instructions for recipients’ mail servers on treating emails coming from your domain along with IP addresses and email servers you trust. Any email message sent from a source outside of the list is considered illegitimate and results in either getting marked as spam or experiencing a rejection, depending on what mechanisms, modifiers, and qualifiers you have set in your TXT record.

An SPF record with an error has at least one of these possible issues-

  • Unable to resolve to the domain name in DNS.
  • A non-existing SPF record.
  • Presence of multiple SPF records.
  • Syntax Errors.
  • Missing IP addresses or mail servers.
  • Exceeding the maximum limit of 10 DNS lookups.
  • Exceeding the maximum limit of 2 void lookups. 

Based on the error, they are categorized as none, SPF Temperror, SPF Permerror, Softfail, Fail, and Neutral. Let’s know about them in detail-

None

Your record experiences a ‘None’ SPF error when the SMTP server experiences one or both of these problems-

  • Unable to resolve to the domain name in DNS.
  • A non-existing SPF record.

An SPF None error is considered a fail in DMARC (which means SPF authentication for a particular sender or message is failed), and if the same happens with DKIM as well, then the overall authentication would fail. In this case, the message is either quarantined (p=quarantine) or rejected (p=rejected).

You need to create an SPF TXT record using an online tool and update it on your domain’s DNS to fix the SPF None issue.

SPF record checker 2

SPF Temperror

SPF Temperror is a temporary problem that can occur due to DNS errors like DNS timeout and requires no intervention from domain owners. If you try sending emails after a while, there may be no error at all.

You get a notification of a temporary failure, which means the corresponding SMTP command will return an appropriate 4xx status code. The client can send the message later, depending upon the nature of the retry policy set in the corresponding SPF DNS record.

Permerror

SPF permerror occurs due to multiple reasons. Here’s how you can sort them-

Presence of Multiple SPF Records

If multiple SPF records are updated on DNS for a single domain, then all of them get invalid. To fix this, you need to merge them into one and then update it on DNS.

Remember that simply copying and pasting all of them in a single string won’t work. You have to do it systematically.

Syntax Errors

SPF syntaxes are divided into mechanisms, modifiers, and qualifiers. Their incorrect use, extra spaces, and typos cause problems in TXT records which makes them invalid. An SPF string should always begin with v=spf1 and end with either -all or ~all tag.

Exceeding the Maximum Limit of 10 DNS Lookups

RFC has imposed a limit of a maximum of 10 DNS lookups to avoid overburdening the resources. Every instance of ‘redirect,’ ‘exists,’ ‘ptr,’ ‘a’, and ‘include’ causes one lookup. You can get rid of this error by trying one of the following ways-

  1. Removing unnecessary ‘include’ statements.
  2. Removing IP addresses or mail servers that you no longer use to send messages.
  3. Creating additional SPF records for subdomains.

Exceeding the Maximum Limit of 2 Void Lookups.

A void lookup occurs when a DNS lookup returns a null response while performing SPF authentication checks. Keeping your SPF record updated with all the sending sources, and SPF flattening help in staying within the void lookup limit of 2.

spf record tester 1

Softfail

SPF Softfail is indicated by the ~all tag and is used to instruct a receiver’s server to mark illegitimate emails coming from your domain as spam. Sometimes, even genuine emails don’t pass the SPF authentication check, and recipients’ mailboxes (for example- Gmail, Microsoft Outlook, Hotmail, etc.) consider them fraudulent. So, if Softfail is set up, then such emails still show up in the spam folder, which is much better than getting rejected.

Fail

The -all tag indicates an SPF Fail (also called SPF Hardfail), and it instructs a recipient’s email server to outrightly reject the entry of emails that fail SPF email authentication checks. This prevents damage caused by phishing and spoofing attacks setup to trick a recipient into sharing sensitive information

Using the ‘Fail’ mechanism for email-sending domains isn’t recommended, as some of your genuine marketing emails can also bounce back. However, users must deploy this mechanism to bolster security for all the non-email-sending domains they own.

Neutral

Neutral means no clear assertion is made if a particular IP address or server is permitted to send emails on behalf of your company or not. It’s indicated by the ?all tag and causes all the sending sources to return a neutral result. 

Summary

SPF authentication results help in understanding and improving the email delivery rate of a domain while ensuring no unauthorized entity sends or tampers emails posing as you or someone from your organization. SPF Softfail means emails failing SPF checks will land in the spam folder, and in case you choose to setup your record to an SPF Fail mechanism, then they will bounce back.