SPF (short for Sender Policy Framework) is an email authentication protocol that boosts email deliverability, ensures security, and is trusted by email service providers. It allows domain owners to list all the IPs (ip4 and ip6) and servers that senders can use to dispatch emails on behalf of organizations. It ensures messages mailed by malicious senders either land in recipients’ spam folders or get rejected in case they fail SPF authentication checks.
These IP addresses and mail servers are listed in an SPF record in the TXT format along with other information mentioned using the syntax (mechanisms, modifiers, and qualifiers). However, SPF records are very likely to be erroneous due to a number of reasons like technical misconfigurations, typos, incorrect use of the SPF mechanism group, exceeding the number of characters allowed, etc. The presence of all these mistakes makes SPF TXT records invalid, which impacts the authentication process in some way.
These errors are categorized as SPF Permerror and SPF Temperror. This article shares some DIY solution sets to get rid of them.
Kitterman SPF-The Ultimate SPF Record Checker
You can’t fix an issue in your record unless you know about its presence. So, to know if your SPF DNS record is correctly configured, you need to run it through an SPF checking tool (also called an SPF validator) that diagnoses it and highlights all the existing problems so that you can make the required changes and place everything correctly.
Kitterman SPF is one of the most credible and trusted tools for the ‘SPF check’ process, where you just have to enter your domain name, and it will instantly present the results.
Image sourced from rejoiner.com
What Does SPF Permerror Mean?
An SPF permerror occurs when there’s a fundamental problem with your domain’s SPF record, which doesn’t let a receiver’s server determine if a particular sender is officially authorized. In simpler terms, permanent SPF errors indicate that the email service providers (example; Gmail, Microsoft Outlook, Hotmail, etc.) failed to verify the SPF record published on DNS. Common reasons causing SPF errors are:
- Existence of Multiple SPF Records for a Domain
- Syntax issues
- Exceeding the limit of 255 characters
- Exceeding the DNS Lookup Limit
- Exceeding the Limit of Void Lookups
- A problem in including sending sources from a third-party vendor or host.
Their solutions are mentioned below.
What is the Difference Between SPF Fail and Permerror?
SPF Fail means the specific IP address isn’t allowed to send emails on behalf of your organization and using your domain name. On the other hand, an SPF permerror indicates the presence of fundamental problems in your records, which makes them invalid. This error makes it impossible for mailboxes to evaluate whether a sending server is authorized or not.
Ways to Fix SPF Permerror Office 365
The occurrence of SPF permerror is quite normal, and you don’t have to reach out to an expert every single time. Just take care of the following points, and you will be able to resolve them on your own.
How to Fix the Existence of Multiple SPF Records for a Domain?
Merge all your SPF records by including all the parts into one record and not repeating any mechanisms. This is how you can do it-
- Include only one ‘a’ mechanism at the beginning of your SPF record to eliminate multiple SPF records.
- If one or both the records have an ‘mx’ mechanism, include it only once.
- The ‘include’ mechanism indicates the mail servers from both records.
- An SPF record should always end with “?all”, “-all,” or “~all.” Ensure you don’t use multiple SPF Qualifiers; otherwise, your SPF record will be invalid or erroneous.
How to Fix Syntax Issues?
Check and resolve the existence of any of the following SPF permerror problems with your domain and subdomain-
- Extra spaces before or after the SPF record string.
- Spelling mistakes.
- Use of uppercase letters.
- Extra dashes before the ‘fail’ mechanism. For example, using –all instead of -all.
- Commas and spaces between each mechanism.
- Not starting the record string with v=spf1.
If your SPF record is devoid of any of these errors, then try copying and pasting it into a non-formatting tool like Notepad. At times, some formatting issues occur while publishing records to domains’ DNS.
How to Stay Within the DNS Lookup Limit?
Try these methods to stay within the limit of a maximum of 10 DNS SPF lookups.
Remove Unnecessary ‘include’ Statements
Each ‘include’ statement is counted towards the DNS SPF lookup limit. So, replace non-required ‘include’ statements with mechanisms, wherever possible. Using the ‘all’ mechanism and ‘exp’ modifier is suggested, as they are not counted towards the limit.
Remove the ‘ptr’ Mechanism
The ptr mechanism resolves an IP address to its corresponding domain name. Its use is discouraged as it can result in multiple DNS lookups leading to surpassing the limit.
Try SPF Flattening
AutoSPF offers SPF flattening service to compress your SPF record by replacing all the domains with their IP addresses to eliminate the need for DNS lookups. This practice ensures:
- Unaffected email delivery.
- Proper DKIM and DMARC operations.
- Protection from phishing and spoofing attacks.
Delete Invalid or Unused Domain References
Remove any Ip address, mail server, or domain that is no longer being used to send emails on your behalf. Cross-check if all the domains added to your SPF TXT record are active and valid.
How to Stay Within the Limit of Void Lookups?
You get an SPF permerror due to void lookups when SPF records with the ‘include’ mechanism refer to an invalid or spoofed domain or IP address. Upon a lookup, you may see an empty or null response (NOERROR with no answers or NXDOMAIN).
RFC has imposed this limit to minimize the chances of DDoS attacks. Ensure no redundant or invalid IP address or email server is included in your SPF record. Opting for automatic SPF flattening over manual also keeps you within the DNS lookup limit by constantly monitoring and updating your records.
As the name says, SPF temperror is a temporary error that usually gets resolved independently and requires minimal intervention from domain owners. DNS timeout is an example of an SPF temperror that goes away by itself.
If you haven’t received notifications regarding the SPF temperror from multiple mailboxes, then there’s nothing worrisome.
SPF permanent error requires domain owners’ attention in getting fixed, whereas a temperror gets sorted itself. One of the common permerror types is having more than 10 DNS queries or DNS lookups, which you can fix by removing unnecessary ‘include’ statements or through SPF flattening. Also, ensure that you use only ip4 and ip6 sources.