SPF SoftFail – Everything that Causes an SPF Fail
SPF is an important form of email authentication that reduces the number of spammers that succeed on the web. Thus, there are many factors that can cause your SPF records to fail to cause SPF soft fails, SPF hard fails, and other SPF failures.
Read this article to learn more about SPF, SPF failures, how to avoid them, and how SPF authentication affects DMARC.
What is SPF?
SPF or Sender Policy Framework has helped protect millions of domains against spoofing and prevents legitimate outgoing email messages from being marked as spam. Sender Policy Framework, along with DKIM, DMARC, and BIMI make up the building blocks of email authentication.
SPF, or Sender Policy Framework, is a type of email authentication protocol that defines which mail servers and applications, are allowed to send from your domain.
You can think of your domain as a new car. Before you take your car out on the road, you need to make sure you have a valid insurance policy that covers everyone who drives.
How Does SPF work?
SPF is a TXT record that is published within the DNS settings of your domain hosting provider.
Every time you send an email, you must go through your recipient’s spam filters and firewalls. This is similar to going through a police checkpoint. The police will first check your DNS settings to see if you have a valid SPF record (or insurance). If you do, they’ll determine whether or not you’re allowed to drive the vehicle based on your insurance policy and whether you’re listed as an authorized driver.
When a sender sends an email message, their mail server will perform a DNS lookup on the From address of the message to find out if the IP address or email service provider is allowed to send mail for that domain. If the IP address is listed as a valid sender within your SPF policy, SPF will pass.
If the sender’s IP address is not listed within your SPF record then your SPF authentication fails and your email is less likely to reach its destination. Many internet service providers (ISPs) may blacklist any IP addresses where SPF fails too often in order to prevent email spoofing and unauthorized IPs from abusing that domain’s reputation.
What does an SPF Failure Mean?
Authenticating your email is easy enough when everything is in place and SPF passes. However, it gets a bit tricky when SPF authentication fails, as it may be due to a number of reasons.
SPF failure occurs when:
- multiple SPF records were found on the domain
- unable to resolve the domain name in the DNS
- the number of DNS lookups involved in a single SPF check exceeds 10
- the number of void lookups involved in a single SPF check exceeds 2
- unable to find the SPF record on the domain
- the SPF record is not syntactically correct
- the IP address is not on the list specified in the SPF record
If all of the above is true, one of the following SPF authentication responses is sent back and then passed on to DMARC:
- SPF soft fail
- fail, or SPF hard fail;
- temperror, or temporary error
- permerror, or permanent error
What is the difference between an SPF soft fail and an SPF hard fail?
The main difference between the two is pretty simple. Is it on your SPF record?
With an SPF hard fail, if mail is being sent from another server that’s not the IP in the SPF record, the receiving server will discard it and fail SPF.
With an SPF soft fail, this will get tagged as spam or suspicious.
What is an SPF soft fail?
The SPF soft fail is a weak statement that the host is most probably not authorized. The domain has not issued a stronger, more definitive practice that results in a “fail.” This is generally done by appending a ~all mechanism to an SPF record.
When this element is examined, any IP address not listed within your SPF policy will result in a soft fail.
An SPF soft fail may be viewed as a pass or fail, depending on how you configure DMARC in your email server.
SPF soft fail example:
v=spf1 ip4 192.xx.xx.xx ~all
What is an SPF hard fail?
An SPF fail, also referred to as an SPF hard fail, is when the IP address determined to be the source of the email is not listed as an authorized sender within the SPF record.
This is accomplished through the use of a -all mechanism to an SPF record. Any IP address will trigger SPF to return a failure result when this technique is used.
An SPF failure will also fail in the DMARC SPF alignment so it’s important to publish your SPF record with the correct sending ip and email servers to prevent a hard fail.
SPF hard fail example:
v=spf1 ip4 192.xx.xx.xx -all
What are other SPF Failures?
If there is no SPF record present, or if the SPF record does not explicitly define a policy for the given domain, then this will also return a fail result.
SPF none is treated as a fail in DMARC; the SPF authentication check failed, therefore, DMARC fails. Likewise, if the DKIM authentication fails, it fails the final DMARC authentication as well.
To fix this, simply publish a valid SPF record on your domain:
In a nutshell, SPF neutral means that the SPF record on the domain has explicitly stated that it is not claiming whether the IP address is authorized. The ‘all’ mechanism is used to accomplish this. This may be done by appending a ?all keyword to an SPF record. Any IP address will result in an SPF response of neutral when this procedure is applied.
SPF neutral can be interpreted in DMARC as either pass or fail (!), depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages.
SPF PermError (SPF Permanent Error)
SPF PermError is an often encountered result when there are domain error problems. It’s the fact that SPF login fails in most cases. Sometimes your SPF record was invalidated by the receiving MTA while you were performing DNS lookups.
In SPF you are permitted a maximum of 10 DNS lookups each of which will fail SPF and return an error. As a regulated industry, SPF break-up could have a huge effect on the MTA but it does exist. A DNS lookup is possible in SPF. The DNS lookups must not be more than 10 in the SPF file.
SPF TempError (SPF Temporary Error)
SPF TempError (temporary error) is caused by a DNS error such as DNS timeout during an SPF authentication check conducted by the received MTU. It is normally an interim error returning a 4xx status code that can cause temporary SPF failure but yields an SPF pass result when tested later. The error returns a status code with a number 4x, which can be returned multiple times.
How do I avoid SPF Failures?
You can avoid SPF (Sender Policy Framework) failures by making sure the SPF record published includes all of the tools or applications you use to send email from your own domain.
You can also use our Uptime Monitor to get notified if any issues occur with your SPF, DKIM, or DMARC records. This will help you stay out of spam and improve your email deliverability.
How can I Monitor my SPF?
There are a few tools that allow you to monitor your SPF along with your DKIM, DMARC, IP Blacklists, and more. These tools were created to help you improve your email deliverability with a proactive approach.
To prevent SPF failures, use our free DMARC analyzer to ensure all of your emails are properly authenticated and reach your customers.
Learn More about SPF:
How the New Email Uptime Monitoring Helps with Multiple SPF Records
How to Catch Spoofing Attack in 2021
How to Deploy SPF Email Authentication
How to Optimize Your SPF Record
Improving Email Deliverability Using MX, SPF and PTR Records
What is DMARC: Email Security with DMARC, SPF, and DKIM