Email authentication is an important aspect of securing your email infrastructure, which means that you cannot afford to get it wrong. You might not get it wrong on purpose, but it is the small things that can cause bigger problems than you think.
This happens a lot when you’re configuring the SPF record for your domain. Theoretically, an SPF record is just a list of servers that are allowed to send emails on your behalf. But in reality, things are a lot more complex. The record must follow a specific format, and even a small mistake like an SPF record with multiple includes or an SPF record with too many lookups can cause the entire setup to fail.
What makes this problem worse is that you might not even realize that your SPF record isn’t configured properly; no email system really tells you about it, but your domain’s reputation will gradually start taking a hit.
That’s also partly because SPF records aren’t as flexible as they seem. There are strict limits on how they work. Things like the maximum number of DNS lookups, or the way ‘includes’ are handled. If you cross these SPF record limitations, your record fails, even if it looks fine on the surface.
In this article, we will take a look at how to fix SPF record errors. But before we dive into it, let’s see how SPF records work.
How do SPF records work?
When you send an email, the receiving server needs to check if the email is actually coming from your domain or if someone is pretending to send on your behalf. To do that, it looks up the SPF record for your domain — that’s what SPF records are used for: to confirm whether the sending server is authorized to send emails for your domain.
The SPF record is stored as a TXT record in the domain’s DNS settings. It contains a list of servers that are authorized to send emails on behalf of the domain. When the receiving server processes the email, it looks at the “MAIL FROM” address and then cross-checks it with the SPF record. If the sending server is listed on that record, the email passes the check. If it’s not, the server can either reject the email or mark it as spam.
That’s the basic idea of how an SPF record works.
But if your SPF record has mistakes like too many entries, wrong values, or something extra added by your DNS provider, the check might fail even if you’re sending a legitimate email. That’s when your emails start going to spam or not getting delivered at all.
What are the most common SPF Record errors that you might encounter?
As we established earlier, creating an SPF record is a complex endeavor, particularly because of the strict rules that define how the record must be structured and evaluated. It’s not just about listing the servers. The format, the number of lookups, and even the way DNS providers handle the records, all of it matters.
Here, we will go through some of the most common errors that you might face while creating or maintaining an SPF record and ways you can fix the issue.
“Null” value in your SPF record
A null value in an SPF record basically means the record is either empty, broken, or incomplete. You might have either forgotten to add a valid mechanism like ‘ip4:’ or ‘include:’, or there could be a formatting error that leaves you with an invalid SPF record. In any case, the server would think that there are no authorized senders, so it should trust no one. This means that even if your email is genuine, it will inevitably fail the authentication check.
There are a few reasons why this could happen:
- Misconfiguration: Sometimes, when editing or creating the record, you might leave out the necessary parts like “ip4:”, “include”:, or make a typo like “v=spf1 null -all”.
- DNS Errors: During a DNS update, your record might accidentally get saved incorrectly or even wiped clean.
- Empty Records: In some cases, the record exists, but it has no mechanisms defined, which essentially is the same as having no SPF record at all.
How to fix this?
- Check your DNS settings where your SPF record is stored.
- Make sure your record starts with v=spf1 and includes at least one valid mechanism like “ip4”:, “include:”, etc.
- End the record with -all (hard fail) or ~all (soft fail) to specify what to do if an unauthorized server tries to send an email.
SPF with multiple includes
Another issue you might face when configuring an SPF record is having SPF with multiple includes. What multiple includes means is that your SPF record contains several ‘include’ entries. And each of these entries points to another domain’s SPF record. This happens when you have a lot of third-party services like Google Workspace, Microsoft 365, or CRM platforms that send emails on your behalf.
While there is nothing wrong with having multiple services that send emails under your name, you need to be careful because otherwise, your SPF record will have too many lookups.
Since SPF limitations restrict the number of DNS lookups to 10, if you exceed this limit, your SPF authentication will inevitably fail. This means that your emails will be marked as spam or rejected altogether, without any clear indication of what went wrong.
How to fix this?
To fix the problem of SPF with multiple includes, you first need to simplify your SPF record to bring it within the 10 DNS lookup limit.
- For this, go through each include in your SPF record and check if you’re still using that service. If you’re no longer sending emails through a particular service, remove that include.
- If the service provides you with fixed IP addresses, you can replace the include with ‘ip4:’ entries directly. But don’t add too many IP addresses, or else your SPF record can become too long and difficult to manage.
- You can also use an SPF flattening tool that compiles all the includes and resolves them into a list of IP addresses, reducing the number of lookups needed.
- Remember, whenever you add or remove services, make sure to update your SPF record accordingly to avoid unnecessary includes piling up over time.
Network Solutions issues
If you have registered your domain with Network Solutions, you have to be extra careful while setting up the SPF record for your domain. That’s because Network Solutions SPF record settings often have a default SPF entry already added for you.
Now, if you don’t check this default record and try adding one on your own, you could accidentally create multiple SPF records for the same domain.
Now, if you’re wondering what’s wrong with that and asking, “Can I have more than one record?” the answer is no, SPF only allows one record per domain. If you have more than one, the receiving mail server won’t know which one to check when it receives an email. This can cause your SPF check to fail, and there’s a high chance that your emails will either land in the spam folder or get rejected completely.
This is why, if you are using Network Solutions or any other DNS provider, you should first check if an SPF record already exists for your domain. If you skip this and directly try to add an SPF record to Network Solutions, you might just end up creating more than one record. This will certainly break your SPF setup and cause your emails to fail the SPF check.
How to fix this?
- To fix this, log in to your Network Solutions account and check your DNS records for an existing SPF entry (listed as a TXT record).
- If there’s already an SPF record, don’t add a new one. Just edit the existing Network Solutions SPF record to include any new services.
- But if you don’t find any existing SPF record, you can add one by creating a new TXT record, but with proper details.
- Finally, make sure to validate the record with an SPF checker tool. It will ensure that your domain has a single, valid SPF record so your emails pass the SPF check.
Wrapping it all up
We understand that creating an SPF record is not easy, and what’s more difficult is maintaining it. If you are struggling with issues like an invalid SPF record or just struggling to keep up with SPF limitations, our team at AutoSPF can help you with it all!
We help you simplify your SPF record, optimize it to stay within the lookup limits, and ensure it’s always up to date, no matter how many services you use to send emails.
This is only the first step towards securing your email infrastructure, and we’re here to help you do it seamlessly and efficiently. Reach out to us today to book a demo with us!
