Back to Course
Լight modeDark mode

SPF Authentication Failures

Why does SPF Authentication Fail? : None, Neutral, Hardfail, Softfail, TempError, and PermError

SPF authentication failures can happen due to the following reasons:

  • The receiving MTA fails to find an SPF record published in your DNS
  • You have multiple SPF records published in your DNS for the same domain
  • Your ESPs have changed or added to their IP addresses which have not been updated on your SPF record
  • If you exceed the 10 DNS lookup limit for SPF
  • If you exceed the maximum number of permitted void lookup limit of 2
  • Your flattened SPF record length exceeds the 255 SPF characters limit

Types of SPF Fail Qualifiers

The following are types of SPF Fail qualifiers each of which is added as a prefix before the SPF fail mechanism:

“+” “Pass”
“-” “Fail”
“~” “Softfail”
“?” “Neutral”

How do these matter? Well in a situation your email does fail SPF, you can choose how stringently you want receivers to handle it. You may specify a qualifier to “pass” messages that fail check (deliver them),“Fail” delivery, or take a “Neutral” standpoint (do nothing).

Case 1: SPF None result is Returned

In the first case scenario,- if the receiving email server performs a DNS lookup and is unable to find the domain name in the DNS, a none result is returned. None is also returned in case no SPF record is found in the sender’s DNS, which implies that the sender doesn’t have SPF authentication configured for this domain. In this case SPF authentication for your emails fails.

Case 2: SPF Neutral Result is Returned

While configuring SPF for your domain, if you have affixed a ?all mechanism to your SPF record, this means that no matter what the SPF authentication checks for your outbound emails conclude, the receiving MTA returns a neutral result. This happens because when you have your SPF in neutral mode, you are not specifying the IP addresses that are authorized to send emails on your behalf and allowing unauthorized IP addresses to send them as well.

Case 3: SPF Softfail Result

Similar to SPF neutral, SPF softfail is identified by ~all mechanism which implies that the receiving MTA would accept the mail and deliver it into the inbox of the recipient, but it would be marked as spam, in case the IP address is not listed in the SPF record found in the DNS, which can be a reason why SPF authentication fails for your email. Given below is an example of SPF softfail:

 v=spf1 ~all

Case 4: SPF Hardfail Result

SPF hardfail, also known as SPF fail is when receiving MTAs would discard emails originating from any sending source that is not listed within your SPF record. We recommend you to configure SPF hardfail in your SPF record, if you want to gain protection against domain impersonation and email spoofing. Given below is an example of SPF hardfail:

v=spf1 -all

Case 5: SPF TempError (SPF Temporary Error)

One of the very common and often harmless reasons why SPF authentication fails is SPF TempError (temporary error) which is caused due to a DNS error such as a DNS timeout while an SPF authentication check is being performed by the receiving MTA. It is, therefore, just as the name suggests, usually an interim error returning a 4xx status code that can cause temporary SPF failure, however, yielding an SPF pass result when tried again later.

Case 6: SPF PermError (SPF Permanent Error)

Another common result that domain errors are faced with is SPF PermError. This is why SPF authentication fails in most case scenarios. This happens when your SPF record gets invalidated by the receiving MTA. There are many reasons why SPF might break and be rendered invalid by the MTA while performing DNS lookups:

  • Exceeding the 10 SPF lookup limit
  • Incorrect SPF record syntax
  • More than one SPF record for the same domain
  • Exceeding the SPF record length limit of 255 characters
  • If your SPF record is not up to date with changes made by your ESPs

Note: When an MTA performs an SPF check on an email, it queries the DNS or conducts a DNS lookup to check for the authenticity of the email source. Ideally, in SPF you are allowed a maximum of 10 DNS lookups, exceeding which will fail SPF and return a PermError result.

Course content
Email Authentication Fundamentals