SPF SoftFail – Everything that Causes an SPF Fail

SPF Soft Fail - Everything about SPF Failures

SPF is an important email authentication protocol that reduces the number of spammers that succeed on the web. SPF failure occurs when your record is not set up properly among other reasons.

Is your SPF Record Set Up Correctly?

Read this article to learn more about SPF, SPF failures, how to avoid them, and how SPF authentication affects DMARC.

What is SPF?

SPF (Sender Policy Framework) is an email authentication protocol that explicitly lists different servers and applications that are allowed to send emails from your domain.

Sender Policy Framework has helped protect millions of domains against email spoofing and prevents legitimate outgoing email messages from being marked as spam.  SPF, along with DKIM, DMARC, and BIMI make up the building blocks of email authentication.

Your SPF record is like your car’s insurance policy. Try to visualize your sending domain as a new car. Before you start driving your car, you need to make sure you have valid insurance that covers everyone who will be driving your car.

How Does SPF work?

SPF is a TXT record that is published in your domain’s DNS settings.

Every time you send emails, they have to first travel through the receiving servers’ spam filters and firewalls. This is similar to going through a police checkpoint. The “police officer” will check your driving record to see if you have valid insurance (or SPF record). If you do, they’ll determine whether or not you’re allowed to drive your vehicle based on your insurance policy and whether you’re listed as an authorized driver.

Like the above example, when a sender sends an email message, the receiving mail server will perform a DNS lookup on the envelope sender “From” address of the message to find out if the senders IP address or email service provider is allowed to send mail on behalf of that domain. If the IP address is listed as a valid email sender in your SPF policy, authentication will pass.

If the sender’s IP address is not listed in your SPF record, then your SPF authentication fails and your email is less likely to reach its destination. Many internet service providers (ISPs) may blacklist any IP addresses where SPF fails too often in order to prevent email spoofing and unauthorized IPs from abusing that domain’s reputation.

How does SPF work?

What does an SPF Failure Mean?

Authenticating your email is easy enough when everything is in place and SPF passes. However, it gets a bit tricky when SPF authentication fails. SPF soft fails can be due to any of the following reasons.

SPF failure occurs when:

  • your domain has multiple SPF records
  • mail servers were unable to resolve the domain name in the DNS
  • your record exceeded the 10-DNS-lookup limit
  • A single SPF check involves more than two void lookups.
  • A receiving email server is unable to find the SPF record for the domain listed
  • the SPF record does not have correct syntax
  • the IP address is not on the list specified in the SPF record

If any of the statements above are true, SPF authentication will respond with one of the following results and then is passed on to DMARC:

  • none
  • neutral
  • SPF soft fail
  • fail, or SPF hard fail;
  • temperror, or temporary error
  • permerror, or permanent error

What is an SPF soft fail?

An SPF soft fail is a status result that means that the senders IP address is probably not authorized. The domain owner has not issued a more definitive restriction that results in a stronger “fail.” This is can be accomplished by adding an ~all mechanism to your SPF record.

Therefore, any IP address that is not listed in your SPF policy will result in a soft fail.

An SPF soft fail may be viewed as a pass or fail, depending on how you configure DMARC in your email server.

SPF soft fail example:

v=spf1 ip4 142.456.22.56 ~all

What is an SPF hard fail?

An SPF fail, or SPF hard fail, occurs when the IP address that the emails’ originating from is not listed as an authorized sender.

To ensure that only the IP address authorized can send emails, add an -all mechanism to your SPF record. Any unauthorized servers will trigger SPF to fail and the email messages can be discarded altogether.

An SPF failure will also fail in the DMARC SPF alignment so it’s important to publish your SPF record with the correct sending IP and email servers to prevent a hard fail.

SPF hard fail example:

v=spf1 ip4 132.45.55.65 -all

What is the difference between an SPF soft fail and an SPF hard fail?

The main difference between the two is pretty simple. Is it listed on your SPF record? 

SPF Hardfail vs SPF Softfail

SPF Hard Fail

Hard fails can cause emails to be blocked completely. If you send emails from a server that’s not listed in the SPF record, your emails may be discarded altogether and fail SPF. 

SPF Softfail

Soft fails can cause emails to get marked as spam or flagged as suspicious.

What are other SPF Failures?

SPF None

If there is no SPF record present, or if the SPF record does not explicitly define a policy for the given domain, then this will also result in a failure.

SPF none is also treated as a fail in DMARC authentication; the SPF check failed, therefore, DMARC fails. Likewise, if your DKIM authentication fails, it fails the final DMARC authentication check as well.

To fix this, publish a valid SPF record for your domain:

How to Deploy SPF Email Authentication

SPF Neutral

SPF neutral is when the SPF record for your domain explicitly states that it cannot confirm whether the IP address is authorized. A neutral result can be achieved by adding an ?all keyword to your SPF record. Any IP address will result in a neutral result when this mechanism is applied.

DMARC authentication can interpret SPF neutral as either pass or fail, depending on how you set up DMARC on your email server.

SPF PermError (SPF Permanent Error)

SPF PermError often happens when a single domain has multiple SPF records, a syntax error occurs, or if your record exceeds the 10-DNS-lookup limit.

SPF TempError (SPF Temporary Error)

SPF TempError (temporary error) is caused by a DNS error such as DNS timeout during an SPF authentication check conducted by the receiving servers.

If a user experiences a temporary error while trying to send an email, they will be prompted to retry. However, the success of this second attempt depends on how the initial policy is set up. For example, if there is an SPF temperror, the SMTP command will return with a 4xx status code.

How do I Avoid SPF Failures?

You can avoid SPF (Sender Policy Framework) failures by making sure that your SPF record lists every tool and application you will be using to send emails from your own domain.

You can also use our Uptime Monitor to get notified as soon as any emails fail SPF, DKIM, or DMARC records. This will help you stay out of spam and improve your email deliverability.

How can I Monitor SPF Failures?

There are a few tools that allow you to monitor your SPF along with your DKIM, DMARC, IP Blacklists, and more. These tools were created to help you improve your email deliverability with a proactive approach.

To prevent SPF failures, use our free DMARC analyzer to ensure all of your emails are properly authenticated and reach your customers.

Learn More about SPF:

How the New Email Uptime Monitoring Helps with Multiple SPF Records
How to Catch Spoofing Attack in 2021
How to Deploy SPF Email Authentication
How to Optimize Your SPF Record
Improving Email Deliverability Using MX, SPF and PTR Records
What is DMARC: Email Security with DMARC, SPF, and DKIM

AUTHOR BIO

Katherine Medina is the Chief Editor and SEO Content Specialist at GlockApps.