Email delivery failure due to SPF Domain Authentication Fail
Article ID: 175407
Updated On:
Products
Issue/Introduction
An email has failed delivery and the reason provided in Track and Trace is listed as SPF Record.
553-SPF (Sender Policy Framework) domain authentication fail
Cause
Under Services > Anti-Spam >Spoofed Sender Detection, Use SPF is enabled and set to the action of Block and Delete. When this feature is enabled, all inbound emails will be verified against the SPF policy of the Env Sender. If the Env Sender publishes a hard-fail SPF policy and the inbound email fails SPF verification, the action of block and delete will be enforced and a 5xx error is returned to the sender. SPF record set to soft-fail will not trigger the action.
Resolution
When a legitimate email is being blocked due to SPF, then the sender needs to contact their DNS administrator to inform them that the IP address being used is not listed as approved on their domain's SPF record. The DNS administrator can either correct this or change the SPF record to a soft-fail while this is being corrected on their end. Having the sender's DNS administrator correct the SPF record is the recommended action by Symantec.
If the email is time sensitive and must be received before the sender can get the SPF record modified, there are a few options available in ClientNet and will be up to the company's discretion on which is best for the situation.
- Add the sending email address or domain to the Anti-Spam Approved Sender's list and select " Spoof " in order to bypass SPF and DMARC checks only. Emails from the added record will still be scanned by the other Anti-Spam services.
- Change the action for Use SPF from Block and Delete to another action that will allow the email through, such as Quarantine or Tag a header.
- Turn off this setting by unchecking "Use SPF". (Not recommended)
All portal changes will take up to 1 hour to fully propagate in the system. Once the change has propagated, the sender will need to resend the email.
Feedback
