Emails sent by marketers may be bounced for a variety of reasons. They’ve had email delivery issues for case updates and comments made.
In most cases, users get a failure notification, such as: “SPF Violation”.
Main Reason: They’ve not included an SPF record.
Table of Contents
What is an SPF Record?
A sender policy framework (SPF) record is a DNS TXT record that identifies all of the servers allowed to send emails from a specific domain.
A domain administrator can use a DNS TXT (“text”) record to add any text to the Domain Name System (DNS). TXT records were designed to contain important domain notices, but they evolved to fulfil various functions.
SPF is verified by querying the domain’s Return-Path value in the email headers by servers receiving messages. When this Return-Path is used, the recipient server searches the DNS server for a TXT record. In case SPF is enabled, it displays a list of all accepted servers from which mail can be sent. The SPF check will fail and generate an error message stating “SPF Violation” if the IP address is not on the list.
Why is Recovering from SPF Violation important?
The Sender Policy Framework (SPF) is a simple yet effective email validation method for detecting spoofed emails.
For anti-spam and faked email prevention, an SPF record is required. Although the Simple Mail Transfer Protocol (SMTP) cannot completely block faked emails, the SPF header does show whether or not the email is genuine. If you have an SPF record, then mail servers can verify whether or not the IP addresses listed in the SPF record are authorized to send an email on behalf of your domain. If they’re not, then they’ll reject any messages they receive from those IP addresses.
To recover from SPF Violation, your record needs to be valid and updated. In order to verify syntax and MTA servers, ensure the SPF DNS record is configured correctly by conducting routine checks with our SPF record checker tool. In case any error is detected, you’ll need access to your domain’s DNS control panel to modify your record and recover from the SPF violation issue. If you’re utilizing a DNS hosting service, the process is quite simple as they handle the updating for you.
Also, provide a defensive SPF record for any domain in your organization that does not deliver emails, such as a parked domain. This is also recommended by the Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG). Malicious actors can send spoofed emails by imitating any domain (i.e. even inactive ones).
Ready to Create Your SPF Record to Mitigate SPF Violation?
Your DNS host determines how you deliver an SPF record. If you utilize your domain registrar’s DNS server, you should be able to add and delete DNS entries from the registrar’s dashboard. This is the screen where you can create an SPF record.
- Begin with the v=spf1 (version 1) tag, then add the IP addresses allowed to send mail. v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 is an example.
- If you utilize a third party to send an email on your behalf, you must write an “include” statement in your SPF record (e.g., include:thirdparty.com) to designate the third party as a genuine sender.
- Add the all or -all tag once you’ve added all approved IP addresses and include statements.
- A soft SPF fail is indicated by an all tag, but a hard SPF fail is indicated by a -all tag. According to the major mailbox providers, both all and- all will result in SPF failure. An -all is the most secure.
- SPF records can’t be longer than 255 characters and can’t have more than 10 include statements (also known as “lookups”). Here’s an example of how your record could appear:
v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:thirdparty.com -all
- The SPF record will exclude any modification except -all for your domains that do not deliver email. For a non-sending domain, here’s an example record:
v=spf1 -all
You can also use SPF Record Generator tool by PowerDMARC to generate an instant record that is error-free.
Discover SPF Violations with SPF Record Checker
With the SPF record checker by PowerDMARC, you get to know about the following data:
- Whether or not you already have an SPF record in your DNS
- Whether your record has been ruled invalid due to frequent SPF problems such as exceeding the 10 DNS lookup limit, publishing multiple SPF records for the same domain, or incorrect syntax
If your domain has SPF enabled, you should regularly run SPF record checks to remain on top of any DNS updates.
- Begin by typing your domain name into its designated box. (For example, if your domain’s URL is https://mycompany.com, the subsequent domain name is company.com, which has no prefix.)
- You’re done when you click the “Lookup” button.
Example SPF policy details:
IP address: 13.108.238.141
SPF Record: v=spf1 ip4:13.108.238.141/26 ip4:87.222.138.192/26 ip4:80.43.144.0/20 ip4:126.146.128.64/27 ip4:116.146.208.0/21 ip4:136.147.32.0/19 ip4:112.50.78.64/28 exists:%{i}._spf.mta.dummyvalue.com -all
Address for HELO/EHLO: myaddress@salesforce.com
Example output
Mail sent from this IP address: 13.108.238.141
Mail Server HELO/EHLO identity: myaddress@salesforce.com
HELO/EHLO Results – PASS sender SPF authorized
Final Words
SPF violation is a major risk that stops you from sending important emails. You can take an easier approach by not choosing enforcement tags, and going for a more relaxed policy to allow all emails to be delivered (even the ones that fail authentication). This is a good move for beginners you only want to monitor email flow through DMARC reporting. However, for protection against spam and email fraud, this issue must be resolved as a priority.
PowerDMARC, with its latest tools, makes it simple to set up the correct DNS TXT records to stop SPF violations. Create a free PowerDMARC account and take a DMARC trial today to get access to an array to authentication and validation tools!
