What are common SPF errors

SPF validation is one of the most important aspects of good delivery.

Support Team avatar
Written by Support Team
Updated over a week ago

The Domain Verification Tutorial will show you how to add the records to your domain's DNS settings. One of the records you will be adding is what is called an SPF record. The actual record type is TXT but it widely used and referred to as SPF. As outlined in the tutorial, here are the steps you need to take to add the SPF record to your DNS:

Name: yourdomain (or @)

Value: v=spf1 a mx include:_spf.elasticemail.com ~all

If you already have an SPF entry then you need to edit your current one.

If your record does not validate - then it most likely means that either the record is failing to propagate or there is a configuration issue. Some very common SPF issues are listed below.

Multiple SPF Records

Each domain may have only one SPF entry. If your domain contains more than one entry, recipient servers will decline both - this will cause your emails to fail an SPF check. 

If there is more than one SPF entry in the domain's DNS you should remove the ones that are not in use anymore. You might have quit using some services that still have an SPF entry specified in your DNS zone or switch hosting/email providers - such obsolete records are eligible for removal.

Another way to address this would be to merge two (or more) records into one.

In this example, a user domain has an SPF record and has already included the Elastic Email SPF entry but is still not verifying correctly on the dashboard. The reason for it would be that there are two SPF records present on the domain:

v=spf1 a mx include:_mypartnerdomain1.com include:_spf.elasticemail.com ~all
v=spf1 a mx include:_mypartnerdomain2.com ~all

In order to resolve it, these two records should be merged into one:

v=spf1 a mx include:_mypartnerdomain1.com include:_mypartnerdomain2.com include:_spf.elasticemail.com ~all

When merging make sure that your entry starts with "v=spf1" and ends with "~all" parameter.

Merging multiple SPF records into one might lead to too many DNS lookups which will again result in the domain not verifying correctly. This scenario is further explained in the following paragraph.

Too many DNS lookups

An individual SPF record is limited to 10 "include" lookups. This means your record cannot generate more than 10 references to other domains.

Every instance of parameters "include", "a", "mx", "ptr", "exists", "redirect" will generate one lookup. Additionally, if any domain that is referenced in an "include" contains another instance of those parameters it is also counted towards the 10 lookup limit.

If the SPF record exceeds 10 DNS lookups, the email will fail SPF.

Remove includes and references to domains are not in use anymore. Alternatively, subdomains can be used.  Creating a subdomain will allow an additional SPF record. However, if a subdomain is verified then the email will need to be sent from that subdomain.

Following is an example of how many DNS lookups might be broken down between three subdomains:

SPF_for_Subdomain1: "v=spf1 include_record1 include_record2 (etc.) -all"

SPF_for_Subdomain2: "v=spf1 include_record3 include_record4 (etc.) -all"

SPF_for_Subdomain3: "v=spf1 include_record5 include_record5 (etc.) -all"

In this case, your main domain could have just three DNS lookups:

SPF_for_Main_Domain: "v=spf1 include:SPF_for_Subdomain1 include:SPF_for_Subdomain2 include:SPF_for_Subdomain3 -all"

Syntax error

Make sure the SPF record is properly constructed. Each SPF record must:

Start with “v=spf1”

End with “~all” , “-all” or “?all”

And does not have multiple “all” or “v=spf1” parts in the entry  (eg. v=spf1 a mx include:_spf.elasticemail.com ~all ~all )

Additional + in include

Some recipient servers are unable to pass SPF records when the "include" is prefixed with a "+" sign.  This is because the default parameter for the mechanism is a pass. The "+" also means pass, so it is redundant. Simply removing any "+" signs from the record will ensure it will pass will most recipient servers.

Typos

If your record is not validating, please double check your entry for typos. Examples:

"incldue" instead of "include"

Or

the domain name, make sure you use "_spf.elasticemail.com" and not the easily mistaken "_spf.elasticmail.com"

Still not verifying?

Each change in your DNS zone needs some time to propagate through the internet. Usually, it takes anywhere from a few seconds to one hour. However, in rare cases, this period may take up to 48 hours. If your record is still not propagated after several hours you should contact your domain hosting support and ask them if the change to your DNS has been properly saved and propagated.

Did this answer your question?