SPF validation is one of the most important aspects of good delivery. That is why it is important to have your record properly verified - otherwise recipient servers may reject or filter your messages.
SPF is no joking matter. Without it, your emails could bounce or land in the junk folder, instead of reaching the person you wanted to contact. That's why it's mandatory to apart from setting it up, understand what can go wrong and fix it accordingly. If you're not sure what is SPF or DKIM is strongly urge you to first read this article, before doing anything else. Then the Domain Verification Tutorial will show you more in-depth, how to add the records to your domain's DNS settings.
Below, we have listed common SPF errors and how to fix them for better control over your email deliverability.
How to add an SPF record?
Let's take you through this step by step. One of the records you will be adding is what is called an SPF record. The actual record type is TXT but is widely used and referred to as SPF. You might think that adding a record is complicated, but honestly, it is very easy and understandable. As outlined in the tutorial, here are the steps you need to take to add the SPF record to your DNS.
When you log in on your domain provider list you will have an option, to edit your records. Once you access the dedicated page for it (the name and options can vary depending on the service provider) you will be able to input the data below in the specified fields:
- Name: yourdomain (or @)
- Value: v=spf1 a mx include:_spf.elasticemail.com ~all
If you already have an SPF entry then you need to edit your current one. For example, if your domain already has the record:
v=spf1 a mx include:_spf.google.com ~all
then you would just add: include:_spf.elasticemail.com
The final record would look like this:
v=spf1 a mx include:_spf.google.com include:_spf.elasticemail.com ~all
If your record does not validate - then it most likely means that either the record is failing to propagate or there is a configuration issue. Some very common SPF issues are listed below.
List of common SPF mistakes
Multiple SPF Records
It's important to point out that each domain may have only one SPF entry. If your domain contains more than one entry, recipient servers will decline both. As a result, it will cause your emails to fail an SPF check. There are two ways of tackling this issue.
You should remove the SPF entries in the domain's DNS, that are not in use anymore. You might have quit using some services that still have an SPF entry specified in your DNS zone or switch hosting/email providers - such obsolete records are eligible for removal.
Another way to address this would be to merge two (or more) records into one. For example, a user domain has an SPF record and has already included the Elastic Email SPF entry but is still not verifying correctly on the dashboard. The reason for it would be that there are two SPF records present on the domain:
v=spf1 a mx include:_mypartnerdomain1.com include:_spf.elasticemail.com ~all
v=spf1 a mx include:_mypartnerdomain2.com ~all
In order to resolve it, these two records should be merged into one:
v=spf1 a mx include:_mypartnerdomain1.com include:_mypartnerdomain2.com include:_spf.elasticemail.com ~all
When merging make sure that your entry starts with "v=spf1" and ends with "~all" parameter.
However, there is a catch while using the second fix. Merging multiple SPF records into one might lead to too many DNS lookups which will again result in the domain not verifying correctly. So how to resolve this issue?
Too many DNS lookups
An individual SPF record is limited to 10 "include" lookups. This means your record cannot generate more than 10 references to other domains. Every instance of parameters "include", "a", "mx", "ptr", "exists", "redirect" will generate one lookup. Additionally, if any domain that is referenced in an "include" contains another instance of those parameters it is also counted towards the 10 lookup limit. Simple, right?
However, if the SPF record exceeds 10 DNS lookups, the email will fail SPF. So, how to fix it?
Remove includes and references to domains that are not in use anymore. Alternatively, subdomains can be used. Creating a subdomain will allow an additional SPF record. However, if a subdomain is verified then the email will need to be sent from that subdomain.
Following is an example of how many DNS lookups might be broken down between three subdomains:
SPF_for_Subdomain1: "v=spf1 include_record1 include_record2 (etc.) -all"
SPF_for_Subdomain2: "v=spf1 include_record3 include_record4 (etc.) -all"
SPF_for_Subdomain3: "v=spf1 include_record5 include_record5 (etc.) -all"
In this case, your main domain could have just three DNS lookups:
SPF_for_Main_Domain: "v=spf1 include:SPF_for_Subdomain1 include:SPF_for_Subdomain2 include:SPF_for_Subdomain3 -all"
Make sure the SPF record is properly constructed. Each SPF record must:
Start with “v=spf1”
End with “~all” , “-all” or “?all”
And does not have multiple “all” or “v=spf1” parts in the entry (eg. v=spf1 a mx include:_spf.elasticemail.com ~all ~all )
Additional + in include
Some recipient servers are unable to pass SPF records when the "include" is prefixed with a "+" sign. This is because the default parameter for the mechanism is a pass. The "+" also means pass, so it is redundant. Simply removing any "+" signs from the record will ensure it will pass will most recipient servers.
If your record is not validating, please double check your entry for typos. Examples:
"incldue" instead of "include"
the domain name, make sure you use "_spf.elasticemail.com" and not the easily mistaken "_spf.elasticmail.com"
Still not verifying?
Each change in your DNS zone needs some time to propagate through the internet. Usually, it takes anywhere from a few seconds to one hour. However, in rare cases, this period may take up to 48 hours. If your record is still not propagated after several hours you should contact your domain hosting support and ask them if the change to your DNS has been properly saved and propagated.
If you sign up with Elastic Email, not only you will verify your domain hassle-free and send emails within minutes of creating our account, but if you get stuck at any point our 24/7 Customer Success Team will help you out!