If your company uses its own domains and domain-handling mails, there are high chances of them running into email issues, and have come across the ” SPF Softfail Domain Does Not Designate IP as Permitted Sender ” error. It is crucial that companies properly designate the IP Addresses used to send out emails on their behalf as a permitted sender in the SPF Record.
What is SPF?
SPF or Sender Policy Framework is an email-authentication standard that protects organizations against impersonation. An attacker may use a company’s domain and brand name to send fake messages to their customers. These phishing emails seem authentic enough to convince the customers and make them fall for an internet scam in the company’s name. This will harm a company’s brand credibility and damage its public image. SPF can be imagined as a safelist of trusted domains of a company from where authentic communication can originate.
How to check if your domain is a permitted sender?
The first step to resolving the “SPF Softfail Domain Does Not Designate IP as Permitted Sender” error is to check your sender authority. To do so:
Step 1: Log in to the company’s domain’s email account, let’s say, [email protected].
Step 2: Send an email to another email account to which you have access; this can be to an external domain like Gmail, Yahoo, Hotmail, or others.
Step 3: Log in to the email account where you sent the first mail, and then view the headers of this email. It’ll be marked as “Show original”.
Then, you’ll see something similar to this. Notice the SPF Softfail message.
–Original Message –
Sat, 13 March, 2022 11:01:19 IST
Return-Path: [email protected]
Received: from mymy2.spfrecords.com (mymy2.spfrecords.com [18.104.22.168])
by mx.google.com with ESMTPS id
Received SPF: softfail (google.com: domain of transitioning [email protected] does not designate 22.214.171.124 as permitted sender) client-ip=126.96.36.199;
Authentication results: mx.google.com;
Spf = softfail (google.com: domain of transitioning [email protected] does not designate 188.8.131.52 as permitted sender) client-ip=184.108.40.206;
*end of header message
Note: If you observed “Received-SPF: pass” in the header, then the domain you are using to send the mails is authenticated and is already added to your SPF record, and you don’t have anything to worry about. However, as shown above, there is a softfail issue. We will now look into how to resolve the same.
What does “SPF Softfail Domain Does Not Designate IP as Permitted Sender” mean?
Your email sender has a host IP that looks something like this:
If this IP address for the sending domain is not included on your domain’s SPF record, the email receiving server fails to identify the designated IP as a permitted sender. The server automatically interprets the message to be coming from an unauthorized source. This is a possible reason why SPF failed for the message. It yields a high probability of DMARC failure if the email authentication system is solely reliant on SPF for source verification (and not DKIM).
Under such circumstances, if your protocol policy is set to reject, your message will never get delivered! Therefore, the domain owner must take quick and actionable measures to fix the “SPF Softfail Domain Does Not Designate IP as Permitted Sender” issue.
How to include an IP as a permitted sender for SPF?
The solution for this can be divided into the following steps:
1. Create a list of sending sources for your domain. You may use a list of email addresses based on your domain, as well as third-party sending sources for email transactions.
2. Now, identify the host IPs of these sending sources
How to find IP addresses linked to your email sending sources?
It’s pretty easy! To find the IP address of your sending source, open the email and view your full email header. To do so you need to click on the three dots at the top-right corner of your email to view the drop-down menu, and select “Show original”.
On the original message, scroll down to the Received line, you will be able to spot the host IP address of the original sender, as shown below:
3. Use our SPF Record Generator to generate a free SPF record for your domain.
- In the record generator, add all the IP addresses you wish to be authenticated to send emails and communication on behalf of the company.
- Add any third-party servers or external delivery services as an authorized sending source for your domain. This way, any mails sent via third-party servers will also pass the SPF Authentication.
4. Once you have used the SPF Record Generator to generate the SPF Record for your domain with all the trusted domains and IP Addresses added to it, all that is left to do is implement SPF by publishing it on your DNS. Here is how you can achieve that:
- Log in to your DNS Management Console
- Next, navigate to the domain of choice (the domain for which you are trying to add/modify the SPF record)
- Specify your resource type as ‘TXT’
- Specify the hostname as “_spf”
- Paste the value of your generated SPF record
- Save changes to configure SPF for your domain
Note: The above names or headers may vary based on the DNS Management Console you are using for your company.
This way, the domain owners can ensure that all their trusted IP addresses and domains they might use to send communications on the company’s behalf are added to the server, and a similar error where the SPF Softfail Domain does not designate IP as the permitted sender will not occur.
How to effectively use the SPF standard?
The only way to solidify a company’s SPF technology is to incorporate it with DMARC. Here are the benefits of doing this,
1. DMARC = SPF + DKIM
Email authentication protocols like DMARC are configured by adding a TXT record to your DNS. Apart from configuring a policy for your domain’s emails, you can also leverage DMARC to enable a reporting mechanism to send you a wealth of information about your domains, vendors, and email sources.
DMARC can help you make use of both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) technologies in tandem to give your domain even better protection against spoofing.
Note: This is recommended, but not mandatory. DMARC can function with either SPF or DKIM identifier alignment.
2. Reporting & Feedback with PowerDMARC
Neither SPF nor DKIM gives the domain owner feedback about emails that fail authentication. DMARC sends detailed reports directly to you, which the PowerDMARC platform converts into easy-to-read charts and tables.
3. Control what happens to unauthenticated emails
DMARC lets you, the domain owner, decide whether an email that fails validation goes to inbox, spam, or gets rejected. With PowerDMARC, all you have to do is click one button to set your DMARC policy, and it’s that easy.
Unauthorized senders can be a dangerous threat to the security of your clients and your company’s image and brand value. Protect your customers from phishing and scams by incorporating DMARC in your company, and only allows mails from authenticated senders to reach them.
- Types of Domain Vulnerabilities You Should be Aware of - August 18, 2023
- How to Implement Mail Domain Authentication in Your Email Infrastructure - February 22, 2023
- How to fix “SPF alignment failed”? - January 3, 2023