Skip to main content
< All Topics
Print

SoftFail SPF Record –

Posted
Updated
Bychris_fry

๐Ÿ” Step 1: Identify the Problem

Common causes:

  • Missing sending services (Microsoft 365, website, CRM, etc.)
  • Multiple SPF records (only ONE is allowed)
  • Incorrect include statements
  • Emails being sent from an IP/domain not listed in SPF

๐Ÿ› ๏ธ Step 2: Check Your Current SPF Record

Use a tool like:

  • MXToolbox (SPF lookup)
  • nslookup -type=txt yourdomain.com

Example SPF:

v=spf1 include:spf.protection.outlook.com ~all

This is valid for Microsoft 365, but will softfail if:

  • Emails come from a copier/printer
  • A website sends mail
  • A 3rd-party service (like Mailchimp, etc.) sends mail

โœ… Step 3: Fix the SPF Record

โœ”๏ธ Add All Legitimate Senders

Examples:

Microsoft 365 only

v=spf1 include:spf.protection.outlook.com -all

Microsoft 365 + Website Server

v=spf1 ip4:192.168.1.10 include:spf.protection.outlook.com -all

Microsoft 365 + Mailchimp

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

โš ๏ธ Step 4: Replace ~all with -all (Hard Fail)

Once you’re confident everything is included:

  • ~all = SoftFail (monitoring mode)
  • -all = HardFail (strict enforcement)

๐Ÿ‘‰ Recommended progression:

  1. Start with ~all
  2. Validate logs / headers
  3. Move to -all

๐Ÿ”ฅ Step 5: Check for Common Mistakes

โŒ Multiple SPF Records

BAD:

v=spf1 include:spf.protection.outlook.com ~all
v=spf1 include:servers.mcsv.net ~all

โœ”๏ธ FIX:

v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net -all

โŒ Too Many DNS Lookups (limit = 10)

Each include: counts toward the limit.

Fix:

  • Remove unused services
  • Use subdomain delegation if needed

โŒ Missing Internal Devices

Things like:

  • Printers
  • Firewalls
  • Backup systems

๐Ÿ‘‰ Add them:

ip4:PUBLIC_IP_OF_DEVICE

๐Ÿงช Step 6: Test After Fix

  • Send email to Gmail
  • Check headers โ†’ look for: SPF: PASS
  • Use MXToolbox SPF validation

๐Ÿ’ก Pro Tip (Production Environments)

If you’re managing a full environment:

  • Pair SPF with:
    • DKIM
    • DMARC (p=quarantine โ†’ p=reject)
  • Monitor via DMARC reports before enforcing strict SPF

๐Ÿš€ Quick โ€œSafe Fixโ€ Template

If you’re unsure, start here:

v=spf1 include:spf.protection.outlook.com ~all

Then gradually tighten to:

v=spf1 include:spf.protection.outlook.com -all