Recently, we’ve had an encounter with a client having issues sending out newsletters through Marketo. Almost half the emails bounce back. Turns out there is an issue with the spam filter recognizing Marketo emails as spam and blocking them.
This post describes how Marketo uses SPF to prevent malicious activities, such as spoofing and spamming but may cause bounced emails if they fail SPF checks. At the end of this article, you should learn how to resolve bounced Marketo emails due to SPF Check Fail.
Understanding Hard and Soft Bounces in Email
Before getting more profound, it's essential to know about the two types of email delivery failures – hard bounce and soft bounce. Understanding the differences between these two allows you to identify and remove invalid or inactive email addresses, improving your email deliverability and campaign effectiveness.
A soft bounce means something went wrong in delivering the email to the recipient. This automatically gets resolved, as the email may be delivered successfully later. In a soft bounce, the email could not be delivered for reasons like the recipient's mailbox being full, their email server being down, or their email account being temporarily suspended.
A hard bounce, on the other hand, implies a specific email address is invalid, which happens when a mail server tells Marketo that the person’s email can’t be delivered. It is a permanent delivery failure and is often caused by invalid email addresses, typos, or fake email addresses. SPF settings can also cause hard bounces, which is what we will discuss in the next sections.
What is SPF and How Does It Work?
SPF (Sender Policy Framework) is an email authentication protocol that allows email servers to verify that incoming messages from a particular domain are authorized to be sent from that domain's email servers. In other words, it acts as a spam filter and helps prevent email spoofing, a common tactic spammers and phishers use.
Mail servers use SPF certification as a way to prove that a certain domain is sending legitimate email messages and not spam or a phishing campaign. This means if a sender passes SPF, the sender’s IP belongs to the authorized range of IP addresses from the sender's email server.
Here is an overview of the Sender Policy Framework (SPF) in action:
1. SPF record is created to establish an authentication policy - This is where authorized mail servers to send emails from a particular domain are defined.
An example of an SPF will look like this:
"v=spf1 include:spf.protection.outlook.com include:mktomail.com -all"
The first part, “v-spf1,” tells the server that this contains an SPF entry. You can include different ranges of IP addresses using the field 'include:' The mechanism, such as -all in the above example, specifies the SPF check rules and usually goes at the end of the SPF record. The enforcement rule can be one of the following:
-all - This indicates a hard fail. If you know all the authorized range of IP addresses within your domain, you can list them in your SPF TXT record and use this hard-fail qualifier.
~all – This means soft fail and comes in handy when you are not sure about the complete list of trustworthy IP addresses.
?all – This indicates neutral and is often used only for SPF testing and not on live deployment.
2. DNS lookup – An incoming email is verified in the DNS (Domain Name Service) record, where the inbound server checks whether the message comes from a trustworthy IP address specified in the SPF record.
3. Authentication result – The mail is either delivered, flagged, or rejected based on the rules set in the SPF record.
SPF certification does not only serve as an email security system but it also helps improve the deliverability and multiply open and click rates of your legitimate mail. By obtaining SPF certification, you can ensure your messages are reaching your subscribers' inboxes instead of being marked as spam or blocked altogether.
SPF Pros and Cons
As you have learned above, Sender Policy Framework (SPF) is an email authentication method that helps to introduce additional email security by verifying the sender's IP address against a list of authorized IP addresses and domains from that particular domain.
In the table below, let us examine SPF’s benefits and limitations.
| BENEFITS
|
LIMITATIONS |
| Prevents email spoofing |
SPF is not foolproof |
| Increases email deliverability |
SPF can be difficult to set up |
| Protects your domain's reputation |
SPF can cause delivery issues |
| Easy to implement |
Authentication issues with forwarded emails |
Email spoofing is when someone sends an email that appears to be from a legitimate source but is actually from a fraudulent source. By verifying the sender's IP address, SPF ensures that only authorized senders can send emails from a particular domain.
By using SPF, you can improve your email deliverability rates by reducing the likelihood of your emails being marked as spam or blocked by email servers. When your email passes SPF checks, it is more likely to be delivered to the recipient's inbox and helps to protect your domain's reputation.
When it comes to implementation, SPF requires only a few changes to your domain's DNS records. Once SPF is set up, it works automatically to verify the sender's IP address each time an email is sent.
However, while Sender Policy Framework (SPF) offers several advantages, there are also some potential disadvantages to consider. Although SPF can help prevent email spoofing, it is not foolproof. SPF only verifies the domain's IP address and does not check the content of the email or the sender's identity. This means that a skilled attacker may still be able to spoof emails from an authorized IP address.
Moreover, as easy as it is to implement, it can be difficult to set up SPF correctly. It requires making changes to your domain's DNS records, which can be confusing, particularly for those unfamiliar with DNS settings.
If SPF is not set up correctly or the domain's SPF record is incorrect, it can cause delivery issues. For example, legitimate emails may be rejected or marked as spam if they fail SPF checks.
Now, this was the case with one of our clients. There was absolutely no error in the email addresses, but when they send out the newsletters through Marketo, the emails bounce back:
So, how do we resolve the issue with bounced emails due to SPF check fail - this is what we'll discuss in the next section.
Troubleshooting Bouncing Emails due to SPF Check Fail in Adobe Marketo
When you communicate with clients or prospects through email, you want to ensure your emails route to valid inboxes, not spam filters.
If your emails are being bounced due to SPF check fail, there are several steps you can take to resolve the issue. The SPF authentication result can be one of the following:
- None - When a mail server receives an incoming message, it performs a DNS lookup. None is returned when no valid DNS domain name or SPF Record is found.
- Pass – the sender’s IP address is allowed.
- Fail – This indicates that the mail server will not allow emails originating from any origin not found within the SPF record.
- Softfail – This implies that the receiving mail server would accept the message and deliver it to the recipient’s inbox, but it would be marked as spam if the IP address is not found in the SPF record, which can be a reason why the SPF check fails.
- Neutral – It is not implied whether the originating email address is allowed.
- TempError – During the SPF check, the mail server encountered a transient or temporary error caused by a network error, such as a DNS timeout.
- PermError – This stands for permanent error, which is a common reason for SPF check fail. This error will require DNS operator intervention for resolution.
When someone sends a message to your email account, which never arrived, and the sender receives an SPF bounce message. This indicates that the sender’s email originates from a server that is not part of their domain's allowed mail servers. In most cases, one of two things has occurred:
2. The sender is not using an authorized mail/SMTP server and may need to switch to one authorized by their mail admin.
To solve this problem, the email sender needs to:
Check SPF Record: The first step is to check the SPF record to ensure it is set up correctly. SPF Record is a DNS TXT record that contains the list of IP addresses and/or hostnames allowed and authorized to send mail for your domain.
You can use an SPF checker tool, for example, https://emailauth.io/spf-record-checker, to verify that your SPF record includes all the authorized IP addresses and that it is formatted correctly. An SPF record checker tool lets you look up the SPF record by simply entering the domain name and then displays the record and runs tests to identify any problems within the record that could affect mail delivery. The SPF checker tool can analyze your SPF record, and below are the common reasons for SPF authentication failures:
- The receiving mail server fails to find an SPF record published in your DNS
- Multiple SPF records published in your DNS for similar domain
- If the message exceeded the 10 DNS lookup limit
- If the message exceeded the maximum allowed hop count
- Uppercase letter in your SPF record
- Your SPF record length in a single string within a TXT record exceeded the 255 characters limit
Review SPF Status: Sometimes, the problem is that your email service provider may have changed or added IP addresses that have not been updated on your SPF record, or the configuration is still pending.
Use an email authentication tool – In addition to SPF, consider using an email authentication tool, such as DomainKeys Identified Mail (DKIM) or Domain-based Message Authentication, Reporting, and Conformance (DMARC). Such tools can provide enhanced layers of authentication and help to ensure your emails are delivered successfully.
Instead of relying only on IP addresses, DKIM uses public key cryptography to authenticate incoming mail, reducing false positive scenarios and providing a much more robust form of email authentication than SPF. Meanwhile, DMARC ensures that both your SPF and DKIM information matches the From address. If you want to achieve enhanced email security, using other techniques, such as DKIM and DMARC, along with SPF, can be a good idea.
In the end, troubleshooting bounced emails due to SPF check fail requires checking if the sender uses an authorized email address, verifying and correcting your SPF record to ensure proper DNS entries, and using additional email authentication methods that best fit your configuration. By taking these steps, you can boost your delivery rate and ensure your messages are delivered successfully.
Bounced Marketo Emails due to SPF Check Fail - Frequently Asked Questions
What is SPF?
SPF or Sender Policy Framework is an email security technique that lets the domain owner specify the domains or IP addresses authorized to send mail on its behalf. Receiving mail servers can either reject or bounce the email based on the list of specified authorized outgoing email servers in the SPF record.
What is an SPF record?
The SPF record contains the list of authorized IP addresses, which means these are the addresses allowed to send email messages on behalf of the specific domain. When there is an incoming message, the receiving email server checks the SPF record of the sender's domain to confirm whether the IP address of the server sending the email is authorized to send messages. Otherwise, the email may be rejected or marked as spam.
What is SPF certification?
In a nutshell, SPF certification is a way to check that the IP address the email comes from is authorized. SPF helps mail servers decide whether to receive or reject incoming mail using the SPF record that contains the list of authorized IP addresses within a specific domain. SPF Check Fail means the incoming email will be recognized as spam or blocked.
How to Configure SPF for Adobe Marketo
It is highly recommended to set up SPF for protection against spamming and phishing. If you want to configure Sender Policy Framework (SPF) in Marketo, log in to your DNS management console. Navigate to the Tools and Settings section under DNS Template. Configure/add your SPF TXT record. Your SPF record should include all the authorized IP addresses for your domain. For example, if you are sending emails from Marketo and also from your own email server, you should include both sets of IP addresses in your SPF record. Once you've entered your SPF record, save your changes.
The changes should be processed by your DNS within 72 hours. After configuring your SPF record, it's crucial to test it to ensure that it's set up correctly. You can use an SPF checker tool to verify that your SPF record works as expected.
How can I view my existing SPF TXT record?
To view your current SPF record, you can use several tools available online. Here is an example: https://dmarcly.com/tools/spf-record-checker, where you only need to enter the domain name in question, and the tool will check if you have an SPF record and if it’s set up correctly.
Can I have multiple SPF records on one domain?
When the mail server identifies multiple SPF records, an SPF PermError is returned, and that’s because only one SPF record can be published on any specific domain.