Have you ever seen an email fail SPF? If you have, then I’m going to tell you exactly why SPF authentication fails. Sender Policy Framework, or SPF, is one of the email verification standards we’ve all used for years to stop spam. Even if you weren’t aware of it, I’ll bet if I checked your login account settings for Facebook it would likely show you “opt-in” to “email from friends only”. That is effectively the same thing as SPF.

What is SPF Authentication?

SPF is an email authentication protocol that is used to verify that the email sender matches with their domain name in the From: field of the message. The sending MTA will use DNS to query a preconfigured list of SPF servers to check if the sending IP is authorized to send email for that domain. There may be inconsistencies in how SPF records are set up, which is critical to understanding why emails can fail SPF verification, and what part you can play to ensure issues don’t occur in your own email marketing efforts or when you’re sending marketing emails to win over customers.

Why SPF Authentication Fails : None, Neutral, Hardfail, Softfail, TempError, and PermError

SPF authentication failures can happen due to the following reasons:

• The receiving MTA fails to find an SPF record published in your DNS
• You have multiple SPF records published in your DNS for the same domain
• Your ESPs have changed or added to their IP addresses which have not been updated on your SPF record
• If you exceed the 10 DNS lookup limit for SPF
• If you exceed the maximum number of permitted void lookup limit of 2
• Your flattened SPF record length exceeds the 255 SPF characters limit

Given above are various scenarios of why SPF authentication fails. You can monitor your domains with our DMARC analyzer to get reports on SPF authentication failures. When you have DMARC reporting enabled, the receiving MTA returns any one of the following SPF authentication failure results for the email depending on the reason for which your email failed SPF. Let’s get to know them better:

Types of SPF Fail Qualifiers

The following are types of SPF Fail qualifiers each of which is added as a prefix before the SPF fail mechanism:

“+” “Pass”
“-” “Fail”
“~” “Softfail”
“?” “Neutral”

How do these matter? Well in a situation your email does fail SPF, you can choose how stringently you want receivers to handle it. You may specify a qualifier to “pass” messages that fail check (deliver them), “Fail” delivery, or take a “Neutral” standpoint (do nothing).

Case 1: SPF None result is Returned

In the first case scenario,- if the receiving email server performs a DNS lookup and is unable to find the domain name in the DNS, a none result is returned. None is also returned in case no SPF record is found in the sender’s DNS, which implies that the sender doesn’t have SPF authentication configured for this domain. In this case SPF authentication for your emails fails.

Generate your error-free SPF record now with our free SPF record generator tool to avoid this.

Case 2: SPF Neutral Result is Returned

While configuring SPF for your domain, if you have affixed a ?all mechanism to your SPF record, this means that no matter what the SPF authentication checks for your outbound emails conclude, the receiving MTA returns a neutral result. This happens because when you have your SPF in neutral mode, you are not specifying the IP addresses that are authorized to send emails on your behalf and allowing unauthorized IP addresses to send them as well.

Case 3: SPF Softfail Result

Similar to SPF neutral, SPF softfail is identified by ~all mechanism which implies that the receiving MTA would accept the mail and deliver it into the inbox of the recipient, but it would be marked as spam, in case the IP address is not listed in the SPF record found in the DNS, which can be a reason why SPF authentication fails for your email. Given below is an example of SPF softfail:

 v=spf1 include:spf.google.com ~all

Case 4: SPF Hardfail Result

SPF hardfail, also known as SPF fail is when receiving MTAs would discard emails originating from any sending source that is not listed within your SPF record. We recommend you to configure SPF hardfail in your SPF record, if you want to gain protection against domain impersonation and email spoofing. Given below is an example of SPF hardfail:

v=spf1 include:spf.google.com -all

Case 5: SPF TempError (SPF Temporary Error)

One of the very common and often harmless reasons why SPF authentication fails is SPF TempError (temporary error) which is caused due to a DNS error such as a DNS timeout while an SPF authentication check is being performed by the receiving MTA. It is, therefore, just as the name suggests, usually an interim error returning a 4xx status code that can cause temporary SPF failure, however, yielding an SPF pass result when tried again later.

Case 6: SPF PermError (SPF Permanent Error)

Another common result that domain errors are faced with is SPF PermError. This is why SPF authentication fails in most case scenarios. This happens when your SPF record gets invalidated by the receiving MTA. There are many reasons why SPF might break and be rendered invalid by the MTA while performing DNS lookups:

• Exceeding the 10 SPF lookup limit
• Incorrect SPF record syntax
• More than one SPF record for the same domain
• Exceeding the SPF record length limit of 255 characters
• If your SPF record is not up to date with changes made by your ESPs

Note: When an MTA performs an SPF check on an email, it queries the DNS or conducts a DNS lookup to check for the authenticity of the email source. Ideally, in SPF you are allowed a maximum of 10 DNS lookups, exceeding which will fail SPF and return a PermError result.

How Can Dynamic SPF Flattening Resolve SPF PermError?

Unlike the other SPF errors, SPF PermError is much more tricky and complicated to resolve. PowerSPF helps you mitigate it easily with the help of automatic SPF flattening. It helps you:

• Stay under the SPF hard limit
• Instantly optimize your SPF record
• Flatten your record to a single include statement
• Make sure your SPF record is always updated on changes made by your ESPs

Want to test if you have SPF configured correctly for your domain? Try out our free SPF checker tool today!

• About
• Latest Posts

Maitham Al Lawati

Maitham is a tech entrepreneur, cybersecurity expert, CEO and Founder of PowerDMARC with 15+ years of industry experience. Maitham holds a Global MBA from the University of Manchester and various professional certifications including CISSP, CISM, CRISC, and ISC2 CCSP.

Latest posts by Maitham Al Lawati (see all)

• Fix SPF Permerror: Overcome SPF Too Many DNS Lookups Limit - April 26, 2024
• How to Publish a DMARC Record in 3 Steps? - April 2, 2024
• Why is DMARC failing? Fix DMARC Failure in 2024 - April 2, 2024