Two Ways Why Your SPF Record is Broken and How to Fix it

You have made some changes to your SPF record in DNS (or not) and your SPF record is broken. One day resources that depend on it in your organization stop working? What happened? There are generally two ways this record can become problematic but first, What is an SPF record anyways…..

An SPF Record is a TXT DNS Entry

For those of you familiar with DNS it is just one of many types of DNS entries you put in your records for your domain. For example, an “A’ record is for hosts and “MX” is for mail exchangers, etc. SPF stands for “Sender Policy Framework”. It allows other domains to send on behalf of your domain without being marked as spam. You see, way back when the Internet was on the honor system (LOL), people wouldn’t dare spoof other domains when sending email. That would be wrong as it is spamming. That was sarcasm.  If you have services that use other domains to send on behalf of your domain, a broken SPF record will likely cause an NDR of the email being sent by a non-trusted domain. Microsoft has a great explanation in the NDR on how to fix such errors.

Format of an SPF record

In its simplest form it is this:

v=spf1 ~all

This would be in the case that you use M365 as you email provider but obviously it would vary depending on your email service. A great explanation on how to build your SPF record is located here.

Here are the 2 ways this error might occur.

The Statement in the SPF record was formatted wrong

This record is quite finicky. If you do so much as add an extra space or misplace a tilde your email service will throw errors. If you are unsure, use a service like MXTool Box to generate the SPF record for you. That way all you must do is copy and paste the info into a new or already existing TXT record in your company’s DNS. Save and test!

One of the Resources Specified in the SPF record no Longer Exists

This is more likely if one of the services that send on behalf of your domain no longer exists or stops functioning. One day it works and the next day it doesn’t. It is likely on of the IP Address for server that specifically send on your behalf or one of the domains you specified in your include statements no longer exist or is not functioning. Find out from the company that provides you with this service what the new information is so you can replace it in the SPF record or if you need to remove it from the record. Either way, until it is fixed the record will stop working and your email flow will be adversely affected. If you need to gather some information before you reach out user an online SPF analyzer. It will tell you where the breakdown in the record has occurred.

These two issues when resolved will get your mail flowing again for the service that depends on it. That is all we really want, right, to the mail keep flowing!

Happy IT’ing


Quick IT TIps!

Don’t miss these tips!

We don’t spam! Read our privacy policy for more info.

Avatar photo

I am an IT professional with over twenty years experience in the field. I have supported thousands of users over the years. The organizations I have worked for range in size from one person to hundreds of people. I have performed support from Help Desk, Network / Cloud Administration, Network Support, Application Support, Implementation and Security.

Pin It on Pinterest