Email delivery failure due to SPF Domain Authentication Fail

book

Article ID: 175407

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

An email has failed delivery and the reason provided in Track and Trace is listed as SPF Record.

553-SPF (Sender Policy Framework) domain authentication fail

Cause

Under Services > Anti-Spam >Spoofed Sender Detection, Use SPF is enabled and set to the action of Block and Delete. When this feature is enabled all inbound emails will be verified against the SPF policy of the Env Sender. If the Env Sender publishes a hard-fail SPF policy and the inbound email fails SPF verification, the action of block and delete will be enforced and a 5xx error is returned to the sender. SPF records set to soft-fail will not trigger the action.

Resolution

When a legitimate email is being blocked due to SPF, then the sender needs to contact their DNS administrator to be contacted and informed the IP address being used is not listed as approved on their domain's SPF record. The DNS administrator can either correct this or change the SPF record to a soft-fail while this is being corrected on their end. Having the sender's DNS administrator correct the SPF record is the recommended action by Symantec.

If the email is time sensitive and must be received before the sender can get the SPF record modified, there are a few options available in ClientNet and will be up to the company's discretion on which is best for the situation. 

  • Add the sending email address to the Anti-Spam Approved Sender's list to bypass the Anti-Spam filter, which includes the SPF record check.
  • Change the action for Use SPF from Block and Delete to another action that will allow the email through, such as Quarantine or Tag a header. 
  • Turn off Use SPF. (Not recommended)

All portal changes will take up to 1 hour to fully propagate in the system. Once the change has propagated, the sender will need to resend the email.