Skip to main content
My preferencesSign out
Proofpoint, Inc.

SPF Check on Essentials for inbound mail

Situation You see SPF delivery failure mentioned as a Delivery Status or in other areas.
Solution SPF delivery status is normally due to destination server checking SPF record.

 

As part of the Proofpoint Essentials spam scanning, the senders SPF record can contribute to the overall spam score of the message. Proofpoint Essentials does not block an email outright based on the SPF entry. This is because there are a large number of domains that have an incorrect SPF record.

If you see SPF failure mentioned in the Delivery Status is likely due to the recipient mail server. SPF failures are 100% reliant on the sending mail domain. Please review your mail server for any type of SPF check scanning.

 

Some basic SPF things to know: (SPF stands for Sender Policy Framework. In essense  an authorization list of who can send in your behalf)

  • Unless you have a very complex SPF record, you should only need 1 SPF Record. 
  • All SPF records should start with v=spf1. Then your include statements, A: records (like Proofpoint has), IP addresses and your -all, ?-all. 
    • -all "-" Thi is a hard fail. If the sender does not match an Include statement, A record and/ an IP listed in the record, then hard fail it. 
    • ~all- "~" This is a soft fail. This statement will allow some leniency and will accept the email but will be labeled as soft fail. 
    • The "+" and the "?" are not recommend to be used. 
  • If you already have an SPF and need to add a record, a separate record is not always needed. For example: 
    • v=spf1 192.168.1.1 include:spf.domain.com -all if your current SPF record looked like this if you needed to add Proofpoint you would just add our a record to the statement. Like this- v=spf1 a:dispatch-us.ppe-hosted.com 192.168.1.1 include:spf.domain.com -all. 

Just make sure the v=spf1 is all lowercase letters and there is a space between each entry.