How to fix SPF records by analyzing DMARC reports
You might be under the impression that the three major email authentication protocols are mutually exclusive. Well, this might be the most common misunderstanding and is particularly true for SPF (Sender Policy Framework).
Unlike DMARC, which builds upon the foundation laid by SPF and DKIM, SPF essentially operates independently, but if you really want to optimize your configuration and tighten your security, this approach might not be very helpful.
Yes, SPF is the first step in the authentication journey as it requires you to explicitly list all the authorized mail servers or services allowed to send on behalf of your domain. This means everything from your primary domain to your marketing services and CRM must be included in your SPF record.
Here’s the thing: configuring the SPF record isn’t just about listing all your sending services and getting done with it. It requires ongoing management and strategic planning, for which you can rely on DMARC reports. This is why we said that SPF doesn’t work best in isolation.
Now that we know SPF works best when complemented by real-time visibility of DMARC reports, let us understand how these reports bridge the gap between your intended email infrastructure and what’s actually happening in the wild.
What do DMARC reports say about SPF?
DMARC reports give you a clear picture of how your domain is being used, what servers are sending emails on your behalf, and whether they are even passing SPF checks. You need to know all this to be able to spot gaps in your SPF record, catch unauthorized senders, and fix alignment issues that could otherwise lead to legitimate emails being rejected or marked as spam.
Here’s how DMARC reports identify these gaps and help you fine-tune your SPF record:
They list all sending sources
The report shows every server or service that’s sending mail on your behalf. This could be your own mail server, or tools like Mailchimp, Google Workspace, Salesforce, etc. If any of these aren’t listed in your SPF record, their emails can fail SPF, even if they’re legitimate.
They tell you if the SPF passed or failed
DMARC reports also give you an insight into whether each email passed SPF checks. This helps you quickly spot if a legitimate sender has been left out of your SPF record or if there’s a misconfiguration causing failures. This information is important to help you update your SPF record so that all legitimate senders are properly included. And if there are any unnecessary inclusions, it also helps you clean up your SPF record by removing services that are no longer in use.
How can you fix your SPF record with the DMARC insights?
Once you’ve reviewed your DMARC reports and identified the gaps, here’s how you can use those insights to fix and strengthen your SPF record:
Identify missing senders and add them
If you spot any service or address that you know is legitimate but is still failing SPF, check whether its sending domain or IP address is included in your current SPF record. If it’s not, be sure to include it in the record. And while you are at it, ensure that you use the correct “include:” mechanism, as recommended by the service provider. When you follow these steps, most of your SPF failures related to legitimate senders can be resolved quickly.
Fix domain alignment issues
Even though your email passes the SPF check, there is a chance it might fail the DMARC check. This happens because DMARC doesn’t just look at whether SPF passed, it also checks if the domain used in the SPF check matches the domain shown in the “From” address of the email. If these two domains don’t align, DMARC treats it as a fail. It often happens when third-party services send emails using their own domain in the Return-Path. To fix this, check if the service allows you to configure a custom Return-Path that uses your domain.
Remove outdated entries
Over time, your SPF record can get cluttered with services you no longer use. DMARC reports help you see which senders are actually active. If you notice ‘includes’ for services that haven’t sent emails in weeks or months, it may be best to remove them. Cleaning up unused entries not only simplifies your SPF record but also helps you avoid hitting the 10 DNS lookup limit, which can cause SPF to break even when the setup looks correct.
Watch out for the SPF lookup limit
SPF allows a maximum of 10 DNS lookups. If you’re including many third-party services, it’s easy to exceed this limit, which causes SPF to break silently. DMARC reports can show if SPF checks are failing due to too many lookups. If this happens, you can either consider removing unused includes or using SPF flattening tools.
Maintaining a healthy SPF configuration
Like any other security setting, SPF is also not a one-time setup protocol. It should evolve with your email infrastructure. Whether you start using a new tool or unsubscribe from an existing one, you must update it all in your SPF record. If a legitimate service isn’t added, its emails might fail authentication. And if an outdated service stays in the record, it adds unnecessary bulk and brings you closer to the SPF limit of 10 DNS lookups, which can cause the entire check to fail silently. Either way, if your SPF record isn’t up to date, your emails won’t reach their destination, or worse, they might get flagged as suspicious or rejected outright.
Keeping your SPF record clean and updated doesn’t take much time, but it goes a long way in making sure your emails are trusted, delivered, and protected.
The process might sound daunting, but you’re in the right place.
If you help fix or maintain your SPF record, our team at DuoCircle is here to help you with it all and more! From analyzing your DMARC reports to optimizing your SPF configuration and maintaining the SPF lookup limit, we make the process simple and accurate. Book a demo with us to see how we can secure your email setup.