---
title: "Do even ESPs get SPF wrong? Here’s what you should know | AutoSPF"
description: "Email security is a two-way street, which means both the client and the email service provider are responsible for maintaining the legitimacy and authenticity."
image: "https://autospf.com/og/blog/do-esps-get-spf-wrong-what-you-should-know.png"
canonical: "https://autospf.com/blog/do-esps-get-spf-wrong-what-you-should-know/"
---

Quick Answer

Email security is a two-way street, which means both the client and the email service provider are responsible for maintaining the legitimacy and authenticity of the communication process. It is not only the company sending out emails that should take action against spoofing and phishing attacks but also the platforms through which the emails are sent;

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdo-esps-get-spf-wrong-what-you-should-know%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Do%20even%20ESPs%20get%20SPF%20wrong%3F%20Here%E2%80%99s%20what%20you%20should%20know&url=https%3A%2F%2Fautospf.com%2Fblog%2Fdo-esps-get-spf-wrong-what-you-should-know%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fdo-esps-get-spf-wrong-what-you-should-know%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fdo-esps-get-spf-wrong-what-you-should-know%2F&title=Do%20even%20ESPs%20get%20SPF%20wrong%3F%20Here%E2%80%99s%20what%20you%20should%20know "Share on Reddit") [ ](mailto:?subject=Do%20even%20ESPs%20get%20SPF%20wrong%3F%20Here%E2%80%99s%20what%20you%20should%20know&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fdo-esps-get-spf-wrong-what-you-should-know%2F "Share via Email") 

![email service provider](https://media.mailhop.org/autospf/images/2025/03/spf-record-tester-7849.jpg) 

Email security is a two-way street, which means both the client and the email service provider are responsible for maintaining the legitimacy and authenticity of the communication process. It is not only the company sending out emails that should take action against spoofing and [phishing attacks](https://cybersecuritynews.com/detecting-phishing-attack-artificial-intelligence/) but also the platforms through which the emails are sent; they also need to ensure that the messages securely travel through their mailboxes and reach the recipients. 

To ensure this, the ESPs must take tactical steps like implementing authentication protocols like SPF (Sender Policy Framework), [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/) (DomainKeys Identified Mail), and [DMARC](https://dmarcreport.com/) (Domain-based Message Authentication, Reporting & Conformance). 

_Out of these three, SPF is the first line of defense that both parties must implement to ensure that only authorized mail servers can send emails on behalf of a domain_. While it is the most basic [email authentication](/spf-too-many-dns-lookups/spf-lookup/) mechanism, it is also the most commonly misconfigured protocol that can break your entire [email security](/spf-validation-failed-meaning-and-troubleshooting-methods/exchange-spf-check/) strategy if not set up correctly. What’s surprising is that even ESPs - who are supposed to be the masters of [email deliverability](/spf-validation-failed-meaning-and-troubleshooting-methods/spf-validation-error/) \- sometimes get SPF wrong, leading to deliverability issues, security vulnerabilities, and [domain spoofing](https://www.pcmag.com/news/nsa-warns-of-north-korean-hackers-spoofing-emails-from-legit-domains) risks.

In this article, we will take a look at why this happens and what can be done to fix it. 

![domain spoofing](https://media.mailhop.org/autospf/images/2025/03/multiple-spf-records-8018.jpg) 

## What Is SPF alignment?

_Before we get into what goes wrong with SPF implementation when ESPs try to configure it, let us understand how SPF works, particularly its role in domain alignment and email authentication_.

For starters, it is important to know that there are two ‘From’ addresses in any email: one that is visible to you and your recipient and the other one that operates behind the scenes. 

### 1\. Return-Path address

Also known as the envelope sender, bounce address, or [MAIL FROM](https://www.ibm.com/docs/en/zvm/7.2?topic=commands-mailfrom), this address is used primarily for processing bounced mail. If an email cannot be delivered to its destination, the Return-Path directs [mail servers](https://whatismyipaddress.com/mail-server) to send non-delivery reports there. This address is defined in the SMTP envelope of the email and is not seen by the recipient.

### 2\. ‘From’ address 

_The other one is the ‘From’ address, which is basically the sender’s address that you see in your inbox_. Unlike the Return-Path address, which is used for [email bounce](https://www.activecampaign.com/glossary/bounced-email) processing and routing errors, the From: address is what recipients identify as the source of the email.

Coming back to SPF alignment, it simply means that the From: address you see and the [Return-Path](https://emaillabs.io/en/what-is-return-path/) (the hidden bounce address) should match or be from the same domain. _So, if you are sending an email from [someone@company.com](mailto:someone@company.com), and the Return-Path is [support@company.com](mailto:support@company.com), then it is aligned_. But for it to be DMARC compliant, the sending server must also be included in the [SPF record](/spf-record-checker/create-spf-record/). If everything seems good, the email is authenticated and is more likely to land in the inbox.

![email security](https://media.mailhop.org/autospf/images/2025/03/spf-record-example-4025.jpg) 

## Why does SPF even fail? 

There are many reasons why SPF fails, even when implemented by ESPs. Since SPF depends on looking up [DNS records](https://www.cloudflare.com/learning/dns/dns-records/) to confirm whether an email is being sent from an authorized server, even a minor misconfiguration can render it useless. Let us take you through some of the most common reasons why this happens:

### Alignment Failures 

You might think that SPF alignment is all about updating your SPF record with the authorized sending IPs or domains, but that’s not the case. What’s worse is that some [ESPs](https://www.campaignmonitor.com/resources/glossary/email-service-provider-esp/) also believe the same. By adding sending IPs to the SPF record, you’re just whitelisting them without achieving proper alignment.

For SPF alignment, the sending domain must match the Return-Path domain, which is a requirement for DMARC compliance. When ESPs provide outdated or inaccurate instructions, businesses may add unnecessary ‘include’ statements to their SPF records, taking up valuable [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) space and sometimes causing email authentication failures.

_Alignment failures happen when the Return-Path domain (the invisible bounce address) does not match the From: address domain (the visible sender address)_.

### Achieving SPF alignment with a subdomain

If you’re working with an ESP like Mandrill, you might run into a problem of SPF alignment. The thing is, by default, these ESPs use their own Return-Path (bounce address) domain, which certainly won’t match with your From: address, and this creates SPF alignment issues. But there’s a way to fix this. 

In such cases, the ESP uses a subdomain-based approach to help you achieve SPF alignment. That means that instead of changing your main SPF record, you can create a subdomain and configure it specifically for your ESP’s authentication. Here, you create a subdomain and set up a [CNAME record](https://support.dnsimple.com/articles/cname-record/) that points to [Mandrill’s domain](https://support.churchsuite.com/article/79-improving-email-delivery-from-your-churchsuite-account) (e.g., mandrillapp.com). 

So, when you create this subdomain within Mandrill’s portal, it enables you to set up the Return-Path address to utilize your subdomain. This makes the Return-Path domain match your sending domain’s subdomain, attaining SPF alignment without filling up your main domain’s SPF record.

### How Do You Create unnecessary domains in the SPF Record?

Many ESPs ask their users to update their SPF records with every other domain that they use for sending emails. This includes even the extra or inactive email services that they might not even use. Doing this can do more harm than good. It can waste your SPF lookups and cause authentication issues.

The main problem with this approach is that [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) has a 10 DNS lookup limit, and when you include too many include statements, you easily hit this limit, and SPF will fail - even for valid emails. Instead, you should only include the services you actually use. _For instance, if you use Google to send your emails, add \_spf.google.com; or if you use Microsoft, add spf.protection.outlook.com_. There’s no need to add both just for the sake of it.

Are you too facing deliverability issues because of misconfigured SPF records? Now that we have identified the problem areas, it is time to fix them. At [AutoSPF](/), we make SPF deployment and management a breeze! To get started, book a demo with us today.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 5m  Are Your SPF and DKIM Identifiers Aligned?  Jul 18, 2024 ](/blog/are-your-spf-and-dkim-identifiers-aligned/)[  Intermediate 6m  Automated Solutions for Preventing Email Spoofing  May 7, 2026 ](/blog/automated-solutions-for-preventing-email-spoofing/)[  Intermediate 7m  AutoSPF Explains: The Definitive Guide to Adding an SPF Record to Cloudflare  Jan 7, 2026 ](/blog/autospf-definitive-guide-adding-spf-record-cloudflare/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Do even ESPs get SPF wrong? Here’s what you should know","description":"Email security is a two-way street, which means both the client and the email service provider are responsible for maintaining the legitimacy and authenticity.","url":"https://autospf.com/blog/do-esps-get-spf-wrong-what-you-should-know/","datePublished":"2025-03-04T19:47:26.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-03-04T19:47:26.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/do-esps-get-spf-wrong-what-you-should-know/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, email security, SPF, SPF record","wordCount":989,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/03/spf-record-tester-7849.jpg","caption":"email service provider","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Do even ESPs get SPF wrong? Here’s what you should know","item":"https://autospf.com/blog/do-esps-get-spf-wrong-what-you-should-know/"}]}
```