If your SPF (Sender Policy Framework) passes for some emails but fails for most, the issue is likely related to how SPF is configured at the domain level, and possibly how your email is being routed through different sending servers. SPF failures generally indicate that emails are being sent from servers that are not authorized to send on behalf of your domain.
Is SPF Failure Dependent on the Sender Account or the Email?
Sender Account (Domain Level): SPF records are configured at the domain level, which means SPF validation depends on the domain associated with the sending email address. If emails from different sender accounts (all from the same domain) are failing SPF, it is likely a domain-wide issue.
Sending Servers: SPF checks the servers that are used to send the email. If an email is routed through an unauthorized server or an intermediary server not listed in the SPF record, SPF will fail for those emails.
Email-Specific Issues: While SPF is domain-based, email-specific factors like using third-party email services or forwarding can also cause SPF failures if the sending server is not properly listed in the SPF record.
Common Reasons for SPF Failures:
Missing or Incorrect SPF Record in DNS: If your domain’s SPF record is missing or not configured correctly, any emails sent from that domain will fail SPF checks.
Sending from Unauthorized Servers: If you send emails from servers or services that are not listed in your SPF record (e.g., third-party platforms or multiple email providers), SPF will fail for those emails.
Too Many DNS Lookups in SPF Record: SPF has a limit of 10 DNS lookups per record. If you exceed this limit, SPF will fail due to an overly complex record.
Forwarding of Emails: If an email is forwarded, SPF can fail because the forwarding server may not be listed in the original sender’s SPF record.
How to Fix SPF Failures:
1. Ensure You Have a Valid SPF Record
SPF Syntax: Your SPF record is a TXT record in your domain’s DNS settings. It should include all the IP addresses and servers that are authorized to send emails on behalf of your domain. Here’s an example of a basic SPF record:
v=spf1 include:spf.mailprovider.com -allv=spf1: Declares the version of SPF being used.
include: Specifies the servers or services allowed to send emails (e.g., mail providers like Google, Amazon SES, etc.).
all: This indicates that emails not sent from authorized servers should be rejected.
Action: Verify that your SPF record is present and correctly formatted in your DNS settings. You can use tools like MXToolbox SPF Lookup or SPF Record Checker to verify your record.
2. List All Sending Servers and Services
Identify All Servers and Services Sending Emails: Make sure your SPF record includes all the mail servers that are authorized to send emails on behalf of your domain. This includes:
Your primary mail servers (e.g., Google Workspace, Office365).
Any third-party services that send emails on your behalf (e.g., Amazon SES, Mailgun, SendGrid, etc.).
Any internal or company mail servers.
Action: Add all relevant mail servers and services to your SPF record using the correct
includestatements. For example, if you’re using Google Workspace and Amazon SES to send emails, your SPF record should look something like this:v=spf1 include:_spf.google.com include:amazonses.com -all
3. Minimize the Number of DNS Lookups
SPF Limit: SPF allows a maximum of 10 DNS lookups. If you have too many
includestatements or other DNS mechanisms that require lookups, SPF validation will fail.Action: To stay under the 10 lookup limit:
Remove unnecessary or redundant
includestatements.Use services like SPF Flattening (offered by some DNS providers) to reduce the number of DNS lookups.
4. Configure Email Forwarding Correctly
Forwarding Issue: When an email is forwarded, the original sender’s SPF record is not checked at the forwarding server, leading to SPF failures.
Action: Implement Sender Rewriting Scheme (SRS) on your forwarding server. SRS rewrites the sender’s address when forwarding an email, so that SPF checks pass at the destination.
5. Test Your SPF Configuration
Use tools like:
MXToolbox SPF Lookup to check if your SPF record is set up correctly.
Smartlead's SmartDelivery to send test emails and check if SPF passes for those emails.
Google Postmaster Tools (if you send emails to Gmail accounts) to check your domain’s email authentication results.
6. Ensure Email Services Sign Emails Properly
Some email services (like Google, Amazon SES, or SendGrid) require you to verify your domain and ensure that emails are signed properly with SPF. Make sure your domain is verified within each email service you are using.
7. Monitor SPF Failures Using DMARC
Set Up DMARC: DMARC (Domain-based Message Authentication, Reporting & Conformance) works with SPF and DKIM to help email servers decide what to do when an email fails authentication. It also provides reporting on SPF and DKIM failures.
Action: Set up a DMARC policy for your domain to get reports on SPF failures and to instruct receiving servers on how to handle authentication failures.
Example SPF Record for Multiple Services:
If you’re using multiple email services to send emails (e.g., Google Workspace for general emails, Amazon SES for marketing, and SendGrid for transactional emails), your SPF record might look like this:
v=spf1 include:_spf.google.com include:amazonses.com include:sendgrid.net -all
Summary of Steps:
Verify your SPF record in your domain's DNS and ensure it is correctly formatted.
Add all authorized sending servers and services to the SPF record using the
includemechanism.Minimize DNS lookups by keeping the SPF record simple and avoiding unnecessary
includestatements.Use SRS for email forwarding to prevent SPF failures during forwarding.
Test your SPF record using online tools to ensure it works correctly.
Monitor authentication reports via DMARC to track SPF failures and improve future deliverability.
By ensuring your SPF record is configured correctly and covers all the services and servers you use to send emails, you can reduce SPF failures and improve your email deliverability.