by Elastic Email Jun 13, 2017

SPF validation is one of the most important aspects of good delivery. That is why it is important to have your record properly verified - otherwise recipient servers may reject or filter your messages.

SPF validation is a crucial aspect of good delivery. That’s why it’s incredibly important to have your records verified properly to ensure that your recipient’s servers may reject or filter your messages.

Why is SPF so important and how does it work?

SPF stands for Sender Policy Framework, which is an email authentication method designed to protect email recipients from receiving spoofed emails. By adding SPF records to your DNS records, you will allow email clients to verify that you have authorized a given IP address to send emails from your domain. 

This makes verifying your email through SPF crucial to maintaining your sender reputation and ensuring high deliverability.

How to set up SPF records?

Now that you know why it’s so important to add SPF Records, it’s time to actually add them. SPF records are actually held in TXT records in the domain records. While adding a record might sound like a daunting task, it’s not really that hard to do, though. 

First, you have to log in to your domain provider and find the option to edit your records. The names and options can vary, however, eventually, you should be able to find the option. Once there, input the following data into  TXT records:

  • Name: yourdomain (or @)
  • Value: v=spf1 a mx include:_spf.elasticemail.com ~all

If you already have an SPF entry, then you need to edit your current one. For example, if your domain has a record like:

v=spf1 a mx include:_spf.google.com ~all

Then you would just need to add: include:_spf.elasticemail.com

The final record would look like this: 

v=spf1 a mx include:_spf.google.com include:_spf.elasticemail.com ~all

If your record does not validate - then it most likely means that your record is failing to propagate or there is an issue with the configuration. Here are some common SPF issues.

List of common SPF mistakes

SPF Multiple Include

It’s important to point out that each domain may only have one SPF record. If your domain has more than one entry, the recipient servers will decline both, resulting in a failed SPF check for your emails due to how many SPF records per domain you have. There are two ways of resolving this SPF record multiple include error.

Start by seeing if you have any unused SPF entries in your domain’s DNS records. You might have stopped using some services that still have an entry in your DNS, or switched your hosting/email providers. You can safely remove SPF records like that.

If you need more than entry, no problem. Say that there are two SPF records in your settings, for example:

v=spf1 a mx include:_mypartnerdomain1.com include:_spf.elasticemail.com ~all

v=spf1 a mx include:_mypartnerdomain2.com ~all

In order to resolve it, these two records should be merged into one using this multiple spf records syntax:

v=spf1 a mx include:_mypartnerdomain1.com include:_mypartnerdomain2.com include:_spf.elasticemail.com ~all

When merging, make sure that your entry starts with “v=spf1” and ends with the “~all” parameter. 

However, there is a catch while using the second fix. Merging multiple SPF records into one might lead to too many DNS lookups which will again result in the domain not verifying correctly. So how to resolve this issue?

Too many DNS lookups

An individual SPF record is limited to 10 “include” lookups. This means your record cannot generate more than 10 references to other domains. This means that every “instance”, “a”, “mx”, “ptr”, “exists”, “redirect” will generate one lookup. If any domain that is referenced in an “include” contains another instance of those parameters, it is also counted towards the 10 lookup limit. 

However, if the SPF record exceeds 10 DNS lookups, the email will fail SPF. So, how to fix it?

Remove includes and references to domains that are not in use anymore. Alternatively, subdomains can be used. Creating a subdomain will allow you create an additional SPF record. However, if a subdomain is verified then the email will need to be sent from that subdomain.

Here’s an example how you can breakdown DNS lookups between three domains:

SPF_for_Subdomain1: "v=spf1 include_record1 include_record2 (etc.) -all"

SPF_for_Subdomain2: "v=spf1 include_record3 include_record4 (etc.) -all"

SPF_for_Subdomain3: "v=spf1 include_record5 include_record5 (etc.) -all"

In this case, your main domain could have just three DNS lookups:

SPF_for_Main_Domain: "v=spf1 include:SPF_for_Subdomain1 include:SPF_for_Subdomain2 include:SPF_for_Subdomain3 -all"

Syntax error

Make sure the SPF record is properly constructed. Each SPF record must:

Start with “v=spf1”

End with “~all”, “-all”, “?all”

You can’t have multiple “all” or “v=spf1” parts in entry (for examplev=spf1 a mx include:_spf.elasticemail.com ~all ~all)

Additional + in include

Some recipient servers are unable to pass SPF records when the “include” is prefixed with a “+” sign. This is because the default parameter for the mechanism is a pass. The “+” also means pass making it redundant. Simply removing any “+” signs from the record will ensure that it will pass most recipient servers.

Typos

If your record is not validating, double check your entry for typos. Examples

“Incldue” instead of “include”

Or

The domain name, make sure you use “_spf.elasticemail.com” and not easily mistaken “_spf.elasticemail.com”

Still not verifying?

Each change in your DNS zone needs some time to propagate through the internet. Usually, it takes anywhere from a few seconds to one hour. However, in rare cases, it may take up to 48 hours. If your record is still not propagated after several hours you should contact your domain provider’s support and ask them if the change to your DNS has been properly saved and propagated.

If you sign up with Elastic Email, not only will you verify your domain hassle-free and allow you to send emails within minutes of creating your account, but our customer service team will help you out if you get stuck at any point.

Read also our article: Why should I care about SPF and DKIM?

SPF is no joking matter. Without it, your emails could bounce or land in the junk folder, instead of reaching the person you wanted to contact. That's why it's mandatory to apart from setting it up, understand what can go wrong and fix it accordingly. If you're not sure what is SPF or DKIM is strongly urge you to first read this article, before doing anything else. Then the Domain Verification Tutorial will show you more in-depth, how to add the records to your domain's DNS settings.

Below, we have listed common SPF errors and how to fix them for better control over your email deliverability.

How to add an SPF record?

Let's take you through this step by step. One of the records you will be adding is what is called an SPF record. The actual record type is TXT but is widely used and referred to as SPF. You might think that adding a record is complicated, but honestly, it is very easy and understandable. As outlined in the tutorial, here are the steps you need to take to add the SPF record to your DNS.

When you log in on your domain provider list you will have an option, to edit your records. Once you access the dedicated page for it (the name and options can vary depending on the service provider) you will be able to input the data below in the specified fields:

  • Name: yourdomain (or @)
  • Value: v=spf1 a mx include:_spf.elasticemail.com ~all

If you already have an SPF entry then you need to edit your current one. For example, if your domain already has the record:

v=spf1 a mx include:_spf.google.com ~all

then you would just add: include:_spf.elasticemail.com

The final record would look like this:

v=spf1 a mx include:_spf.google.com include:_spf.elasticemail.com ~all

If your record does not validate - then it most likely means that either the record is failing to propagate or there is a configuration issue. Some very common SPF issues are listed below.

List of common SPF mistakes

Multiple SPF Records

It's important to point out that each domain may have only one SPF entry. If your domain contains more than one entry, recipient servers will decline both. As a result, it will cause your emails to fail an SPF check. There are two ways of tackling this issue.

You should remove the SPF entries in the domain's DNS, that are not in use anymore. You might have quit using some services that still have an SPF entry specified in your DNS zone or switch hosting/email providers - such obsolete records are eligible for removal.

Another way to address this would be to merge two (or more) records into one. For example, a user domain has an SPF record and has already included the Elastic Email SPF entry but is still not verifying correctly on the dashboard. The reason for it would be that there are two SPF records present on the domain:

v=spf1 a mx include:_mypartnerdomain1.com include:_spf.elasticemail.com ~all
v=spf1 a mx include:_mypartnerdomain2.com ~all

In order to resolve it, these two records should be merged into one:

v=spf1 a mx include:_mypartnerdomain1.com include:_mypartnerdomain2.com include:_spf.elasticemail.com ~all

When merging make sure that your entry starts with "v=spf1" and ends with "~all" parameter.

However, there is a catch while using the second fix. Merging multiple SPF records into one might lead to too many DNS lookups which will again result in the domain not verifying correctly. So how to resolve this issue?

Too many DNS lookups

An individual SPF record is limited to 10 "include" lookups. This means your record cannot generate more than 10 references to other domains. Every instance of parameters "include", "a", "mx", "ptr", "exists", "redirect" will generate one lookup. Additionally, if any domain that is referenced in an "include" contains another instance of those parameters it is also counted towards the 10 lookup limit. Simple, right?

However, if the SPF record exceeds 10 DNS lookups, the email will fail SPF. So, how to fix it?

Remove includes and references to domains that are not in use anymore. Alternatively, subdomains can be used. Creating a subdomain will allow an additional SPF record. However, if a subdomain is verified then the email will need to be sent from that subdomain.

Following is an example of how many DNS lookups might be broken down between three subdomains:

SPF_for_Subdomain1: "v=spf1 include_record1 include_record2 (etc.) -all"

SPF_for_Subdomain2: "v=spf1 include_record3 include_record4 (etc.) -all"

SPF_for_Subdomain3: "v=spf1 include_record5 include_record5 (etc.) -all"

In this case, your main domain could have just three DNS lookups:

SPF_for_Main_Domain: "v=spf1 include:SPF_for_Subdomain1 include:SPF_for_Subdomain2 include:SPF_for_Subdomain3 -all"

Syntax error

Make sure the SPF record is properly constructed. Each SPF record must:

Start with “v=spf1”

End with “~all” , “-all” or “?all”

And does not have multiple “all” or “v=spf1” parts in the entry  (eg. v=spf1 a mx include:_spf.elasticemail.com ~all ~all )

Additional + in include

Some recipient servers are unable to pass SPF records when the "include" is prefixed with a "+" sign.  This is because the default parameter for the mechanism is a pass. The "+" also means pass, so it is redundant. Simply removing any "+" signs from the record will ensure it will pass will most recipient servers.

Typos

If your record is not validating, please double check your entry for typos. Examples:

"incldue" instead of "include"

Or

the domain name, make sure you use "_spf.elasticemail.com" and not the easily mistaken "_spf.elasticmail.com"

Still not verifying?

Each change in your DNS zone needs some time to propagate through the internet. Usually, it takes anywhere from a few seconds to one hour. However, in rare cases, this period may take up to 48 hours. If your record is still not propagated after several hours you should contact your domain hosting support and ask them if the change to your DNS has been properly saved and propagated.

If you sign up with Elastic Email, not only you will verify your domain hassle-free and send emails within minutes of creating our account, but if you get stuck at any point our 24/7 Customer Success Team will help you out!

Elastic Email

If you like this article, share it with friends:
Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin

Related Articles

Ready to get started?

Tens of thousands of companies around the world are using Elastic Email to send their emails. Sign up now and join them for free!