Posts

Have you ever seen an email fail SPF? If you have, then I’m going to tell you exactly why SPF authentication fails. Sender Policy Framework, or SPF, is one of the email verification standards we’ve all used for years to stop spam. Even if you weren’t aware of it, I’ll bet if I checked your login account settings for Facebook it would likely show you “opt-in” to “email from friends only”. That is effectively the same thing as SPF.

SPF is an email authentication protocol that is used to verify that the email sender matches with their domain name in the From: field of the message. The sending MTA will use DNS to query a preconfigured list of SPF servers to check if the sending IP is authorized to send email for that domain. There may be inconsistencies in how SPF records are setup, which is critical to understanding why emails can fail SPF verification, and what part you can play to ensure issues don’t occur in your own email marketing efforts.

Why SPF Authentication Fails : None, Neutral, Hardfail, Softfail, TempError, and PermError

SPF authentication failures can happen due to the following reasons:

  • The receiving MTA fails to find an SPF record published in your DNS
  • You have multiple SPF records published in your DNS for the same domain
  • Your ESPs have changed or added to their IP addresses which have not been updated on your SPF record
  • If you exceed the 10 DNS lookup limit for SPF
  • If you exceed the maximum number of permitted void lookup limit of 2
  • Your flattened SPF record length exceeds the 255 SPF characters limit

Given above are various scenarios of why SPF authentication fails. You can monitor your domains with our DMARC analyzer to get reports on SPF authentication failures. When you have DMARC reporting enabled, the receiving MTA returns any one of the following SPF authentication failure results for the email depending on the reason for which your email failed SPF. Let’s get to know them better:

Case 1: SPF None result is Returned

In the first case scenario,- if the receiving email server performs a DNS lookup and is unable to find the domain name in the DNS, a none result is returned. None is also returned in case no SPF record is found in the sender’s DNS, which implies that the sender doesn’t have SPF authentication configured for this domain. In this case SPF authentication for your emails fails.

Generate your error-free SPF record now with our free SPF record generator tool to avoid this.

Case 2: SPF Neutral Result is Returned

While configuring SPF for your domain, if you have affixed a ?all mechanism to your SPF record, this means that no matter what the SPF authentication checks for your outbound emails conclude, the receiving MTA returns a neutral result. This happens because when you have your SPF in neutral mode, you are not specifying the IP addresses that are authorized to send emails on your behalf and allowing unauthorized IP addresses to send them as well.

Case 3: SPF Softfail Result

Similar to SPF neutral, SPF softfail is identified by ~all mechanism which implies that the receiving MTA would accept the mail and deliver it into the inbox of the recipient, but it would be marked as spam, in case the IP address is not listed in the SPF record found in the DNS, which can be a reason why SPF authentication fails for your email. Given below is an example of SPF softfail:

 v=spf1 include:spf.google.com ~all

Case 4: SPF Hardfail Result

SPF hardfail, also known as SPF fail is when receiving MTAs would discard emails originating from any sending source that is not listed within your SPF record. We recommend you to configure SPF hardfail in your SPF record, if you want to gain protection against domain impersonation and email spoofing. Given below is an example of SPF hardfail:

v=spf1 include:spf.google.com -all

Case 5: SPF TempError (SPF Temporary Error)

One of the very common and often harmless reasons why SPF authentication fails is SPF TempError (temporary error) which is caused due to a DNS error such as a DNS timeout while an SPF authentication check is being performed by the receiving MTA. It is therefore, just as the name suggests, usually an interim error returning a 4xx status code that can cause temporary SPF failure, however yielding an SPF pass result when tried again later.

Case 6: SPF PermError (SPF Permanent Error)

Another common result that domain errors are faced with is SPF PermError. This is why SPF authentication fails in most case scenarios. This happens when your SPF record gets invalidated by the receiving MTA. There are many reasons why SPF might break and be rendered invalid by the MTA while performing DNS lookups:

  • Exceeding the 10 SPF lookup limit
  • Incorrect SPF record syntax
  • More than one SPF record for the same domain
  • Exceeding the SPF record length limit of 255 characters
  • If your SPF record is not up to date with changes made by your ESPs

Note: When an MTA performs an SPF check on an email, it queries the DNS or conducts a DNS lookup to check for the authenticity of the email source. Ideally, in SPF you are allowed a maximum of 10 DNS lookups, exceeding which will fail SPF and return a PermError result.

How Can Dynamic SPF Flattening Resolve SPF PermError?

Unlike the other SPF errors, SPF PermError is much more tricky and complicated to resolve. PowerSPF helps you mitigate it easily with the help of automatic SPF flattening. It helps you:

  • Stay under the SPF hard limit
  • Instantly optimize your SPF record
  • Flatten your record to a single include statement
  • Make sure your SPF record is always updated on changes made by your ESPs

Want to test if you have SPF configured correctly for your domain? Try out our free SPF record lookup tool today!

Is it okay to have multiple SPF records on your domain? The answer is no, since having multiple SPF records is one of the most common SPF errors that domain owners come across, it can completely invalidate your SPF and lead to SPF PermError. To understand why this happens we need to know how SPF functions and why having more than one SPF record can cause issues in authentication. Conduct your  SPF record check today to find errors in your SPF record configuration.

How Does SPF Work?

Sender Policy Framework or SPF is a popular email authentication protocol that works by listing all of the authorized sending sources that are allowed to send emails on behalf of your domain. SPF works by performing DNS query requests, or DNS lookups wherein the receiving MTA looks up and validates your email’s Return-path address by matching it against the list of IP addresses mentioned in the SPF record that resides in your domain’s DNS.

If there is a match found, the email passes SPF, else it fails SPF.

Hence, configuring SPF is simply publishing a DNS TXT record that starts with “v=spf1” syntax.

What is SPF PermError?

When a receiving MTA begins to perform SPF authentication on an email, it fetches all the DNS TXT records that begin with “v=spf1”. In case SPF is not configured for the sending domain, and no SPF record is found in the DNS, a None result is returned. On the contrary, if multiple SPF records beginning with “v=spf1” are found to exist for the same domain, a PermError result is returned.

The wrong way: 

Record TypeDomain NameRecord ValueTTL
TXTexampledomain.comv=spf1 include:_spf.zoho.com -alldefault
TXTexampledomain.comv=spf1 include:_spf.google.com -alldefault

In this example, for domain exampledomain.com, there are 2 separate DNS TXT records that have been published in the domain’s DNS. In this case, SPF authentication fails due to SPF PermError.

 

The right way: 

Record TypeDomain NameRecord ValueTTL
TXTexampledomain.comv=spf1 include:_spf.zoho.com include:_spf.google.com -alldefault

In this example the domain exampledomain.com has only a single SPF DNS TXT record published in the DNS by adding all the include mechanisms in a single record. The record is valid and SPF would not return a PermError result in this case. Learn how to optimize your SPF record the correct way to avoid SPF record errors in the future.

Other Factors Affecting SPF: Types of SPF Errors

As discussed above, having more than one SPF record is a common SPF error that can render your SPF record invalid and fail SPF authentication. So the answer to “Can I have multiple SPF records on my domain?” is plain and simple: no you cannot. After ensuring that you have only one SPF record published in your DNS, there can still be other factors causing SPF errors.

  • Exceeding the SPF 10 lookup limit can also return SPF PermError and break SPF.
  • Manually flattening your SPF record to pull through all the IP addresses behind your include mechanism can lead to a lengthy record that may exceed the character string limit of 255 characters
  • Your email service providers like Zoho, Gmail, or Outlook can change or add to their IP addresses that invalidates your SPF record
  • Your SPF record might contain syntax errors

In order to avoid the above-mentioned errors use PowerSPF to automatically flatten your SPF record and stay under the 10 DNS lookup limit.

You can generate your error-free SPF record using our free SPF record generator. Sign up today for DMARC Analyzer to configure SPF correctly for your domain and avoid all SPF errors.

Reasons why to avoid SPF Flattening

Sender Policy Framework, or SPF is a widely acclaimed email authentication protocol that validates your messages by authenticating them against all the authorized IP addresses registered for your domain in your SPF record. In order to validate emails, SPF specifies to the receiving mail server to perform DNS queries to check for authorized IPs, resulting in DNS lookups.

Your SPF record exists as a DNS TXT record that is formed of an assemblage of various mechanisms. Most of these mechanisms (such as include, a, mx, redirect, exists, ptr) generate DNS lookups. However, the maximum number of DNS lookups for SPF authentication is limited to 10. If you are using various third-party vendors to send emails using your domain, you can easily exceed the SPF hard limit.

You might be wondering, what happens if you exceed this limit? Exceeding the 10 DNS lookup limit will lead to SPF failure and invalidate even legitimate messages sent from your domain. In such cases the receiving mail server returns an SPF PermError report to your domain if you have DMARC monitoring enabled.This makes us come to the primary topic of discussion for this blog: SPF flattening.

What is SPF Flattening?

SPF record flattening is one of the popular methods used by industry experts to optimize your SPF record and avoid exceeding the SPF hard limit. The procedure for SPF flattening is quite simple. Flattening your SPF record is the process of replacing all include mechanisms with their respective IP addresses to eliminate the need for performing DNS lookups.

For example, if your SPF record initially looked something like this:

v=spf1 include:spf.domain.com -all

A flattened SPF record will look something like this:

v=spf1 ip4:168.191.1.1 ip6:3a02:8c7:aaca:645::1 -all

This flattened record generates only one DNS lookup, instead of performing multiple lookups. Reducing the number of DNS queries performed by the receiving server during email authentication does help in staying under the 10 DNS lookup limit, however, it has problems of its own.

The Problem with SPF Flattening

Apart from the fact that your manually flattened SPF record may get too lengthy to publish on your domain’s DNS (exceeding the 255 character limit), you have to take into account that your email service provider may change or add to their IP addresses without notifying you as the user. Every now and then when your provider makes changes to their infrastructure, these alterations would not be reflected in your SPF record. Hence, whenever these changed or new IP addresses are used by your mail server, the email fails SPF on the receiver’s side.

PowerSPF: Your Dynamic SPF Record Generator

The ultimate goal of PowerDMARC was to come up with a solution that can prevent domain owners from hitting the 10 DNS lookup limit, as well as optimize your SPF record to always stay updated on the latest IP addresses your email service providers are using. PowerSPF is your automated SPF flattening solution that pulls through your SPF record to generate a single include statement. PowerSPF helps you:

  • Add or remove IPs and mechanisms with ease
  • Auto update netblocks to make sure your authorized IPs are always up-to-date
  • Stay under the 10 DNS lookup limit with ease
  • Get an optimized SPF record with a single click
  • Permanently defeat ‘permerror’
  • Implement error free SPF

Sign up with PowerDMARC today to ensure enhanced email deliverability and authentication, all while staying under the 10 DNS SPF lookup limit.

In this article, we will explore how to optimize SPF record easily for your domain. For enterprises as well as small businesses who are in possession of an email domain for sending and receiving messages among their clients, partners and employees, it is highly probable that an SPF record exists by default, which has been set up by your inbox service provider. No matter if you have a pre-existent SPF record or you need to create a new one, you need to optimize your SPF record correctly for your domain in order to ensure that it causes no email delivery issues.

Some email recipients strictly require SPF, which indicates that if you do not have an SPF record published for your domain your emails may be marked as spam in your receiver’s inbox. Moreover, SPF helps in detecting unauthorized sources sending emails on behalf of your domain.

Let us first understand what is SPF and why do you need it?

Sender Policy Framework (SPF)

SPF is essentially a standard email authentication protocol that specifies the IP addresses that are authorized to send emails from your domain. It operates by comparing sender addresses against the list of authorized sending hosts and IP addresses for a specific domain that is published in the DNS for that domain.

SPF, along with DMARC (Domain-based Message Authentication, Reporting and Conformance) is designed to detect forged sender addresses during email delivery and prevent spoofing attacks, phishing, and email scams.

It is important to know that although the default SPF integrated into your domain by your hosting provider ensures that emails sent from your domain are authenticated against SPF if you have multiple third-party vendors to send emails from your domain, this pre-existent SPF record needs to be tailored and modified to suit your requirements. How can you do that? Let’s explore two of the most common ways:

  • Creating a brand new SPF record
  • Optimizing an existing SPF record

Instructions on How to Optimize SPF Record

Create a Brand New SPF Record

Creating an SPF record is simply publishing a TXT record in your domain’s DNS to configure SPF for your domain. This is a mandatory step that comes before you start on how to optimize SPF record. If you are just starting out with authentication and unsure about the syntax, you can use our free online SPF record generator to create an SPF record for your domain.

An SPF record entry with a correct syntax will look something like this:

v=spf1  ip4:38.146.237 include:example.com -all

v=spf1Specifies the version of SPF being used
ip4/ip6This mechanism specifies the valid IP addresses that are authorized to send emails from your domain.
includeThis mechanism tells the receiving servers to include the values for the SPF record of the specified domain.
-allThis mechanism specifies that emails that are not SPF compliant would be rejected. This is the recommended tag you can use while publishing your SPF record. However it can be replaced with ~ for SPF Soft Fail (non-compliant emails would be marked as soft fail but would still be accepted) Or + which specifies that any and every server would be allowed to send emails on behalf of your domain, which is strongly discouraged.

If you already have SPF configured for your domain, you can also use our free SPF record checker to lookup and validate your SPF record and detect issues.

Common Challenges and Errors while Configuring SPF

1) 10 DNS Lookup limit 

The most common challenge faced by domain owners while configuring and adopting SPF authentication protocol for their domain, is that SPF comes with a limit on the number of DNS lookups, which cannot exceed 10. For domains relying on multiple third-party vendors, the 10 DNS lookup limit exceeds easily which in turn breaks SPF and returns an SPF PermError. The receiving server in such cases automatically invalidates your SPF record and blocks it.

Mechanisms that initiate DNS lookups: MX, A, INCLUDE, REDIRECT modifier

2) SPF Void Lookup 

Void lookups refer to DNS lookups which either return NOERROR response or NXDOMAIN response (void answer). While implementing SPF it is recommended to ensure DNS lookups do not return a void answer in the first place.

3) SPF Recursive loop

This error indicates that the SPF record for your specified domain contains recursive issues with one or more of the INCLUDE mechanisms. This takes place when one of the domains specified in the INCLUDE tag contains a domain whose SPF record contains the INCLUDE tag of the original domain. This leads to a never-ending loop causing email servers to continuously perform DNS lookups for the SPF records. This ultimately leads to exceeding the 10 DNS lookup limit, resulting in emails failing SPF.

4) Syntax Errors 

An SPF record may exist in your domain’s DNS, but it is of no use if it contains syntax errors. If your SPF TXT record contains unnecessary white spaces while typing the domain name or mechanism name, the string preceding the extra space would be completely ignored by the receiving server while performing a lookup, thereby invalidating the SPF record.

5) Multiple SPF records for the same domain

A single domain can have only one SPF TXT entry in the DNS. If your domain contains more than one SPF record, the receiving server invalidates all of them, causing emails to fail SPF.

6) Length of the SPF record 

The maximum length of a SPF record in the DNS is limited to 255 characters. However, this limit can be exceeded and a TXT record for SPF can contain multiple strings concatenated together, but not beyond a limit of 512 characters, to fit the DNS query response (according to RFC 4408). Though this was later revised, recipients relying on older DNS versions would not be able to validate emails sent from domains containing a lengthy SPF record.

Optimizing your SPF Record

In order to promptly modify your SPF record you can use the following SPF best practices:

  • Try typing down your email sources in decreasing order of importance from left to right in your SPF record
  • Remove obsolete email sources from your DNS
  • Use IP4/IP6 mechanisms instead of A and MX
  • Keep your number of INCLUDE mechanisms as low as possible and avoid nested includes
  • Do not publish more than one SPF record for the same domain in your DNS
  • Make sure your SPF record doesn’t contain any redundant white spaces or syntax errors

Note: SPF flattening is not recommended since it isn’t a one-time deal. If your email service provider changes their infrastructure, you’re going to have to change your SPF records accordingly, every single time.

Optimizing Your SPF Record Made Easy with PowerSPF

You can go ahead and try implementing all those above-mentioned modifications to optimize your SPF record manually, or you can forget the hassle and rely on our dynamic PowerSPF to do all that for you automatically! PowerSPF helps you optimize your SPF record with a single click, wherein you can:

  • Add or remove sending sources with ease
  • Update records easily without having to manually make changes to your DNS
  • Get an optimized auto SPF record with the single click of a button
  • Stay under the 10 DNS lookup limit at all time
  • Successfully mitigate PermError
  • Forget about SPF record syntax errors and configuration issues
  • We take away the burden of resolving SPF limitations on your behalf

Sign up with PowerDMARC today to bid adieu to SPF limitations forever!