"SPF Configuration Error" notification on redirected SPF record

Document created by Michelle Malkasian Employee on May 30, 2017Last modified by Kiersti Esparza on May 31, 2017
Version 2Show Document
  • View in full screen mode

Issue Description

Marketo is giving an "SPF Configuration Error" despite the sending domain SPF record being set properly using an "include:".

 

Issue Resolution

SPF records have a limit of 10 look-ups that can be included in the record, so if your Marketo sending domain is also used to send emails from several other systems, your IT team may need to use an "include:" mechanism in the record in order to make sure that Marketo's sending IPs are included.

 

The tool in Marketo that verifies that your SPF record is configured properly is not able to follow such an "include:", so you will get a notification in your instance that states "SPF information for {your sending domain} is not configured correctly in the domain's DNS record".

 

For example, if your SPF record was set up as:

 

"v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:amazonses.com include:mktomail.com ~all"

 

All the references in the SPF record are "include:" mechanisms that reference the other companies sending IPs:

 

spf.protection.outlook.com contains

"v=spf1 ip4:207.46.101.128/26 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all"

 

_spf.salesforce.com contains

"v=spf1 ip4:85.222.130.192/26 ip4:85.222.138.192/26 ip4:96.43.144.0/20 ip4:136.146.128.64/27 ip4:136.146.208.0/21 ip4:136.147.32.0/19 ip4:182.50.78.64/28 exists:%{i}._spf.mta.salesforce.com -all"

 

amazonses.com contains

"v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

 

mktomail.com comtains

text = "v=spf1 ip4:199.15.212.0/22 ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24 ip4:72.32.243.0/24 ip4:94.236.119.0/26 ip4:37.188.97.188/32 ip4:185.28.196.0/22 ip4:192.28.128.0/18 ip4:103.237.104.0/22 ip6:2a04:35c0::/29  ~all"

 

In this situation, all of the required sending IP addresses are included in the SPF record, and recipient mail servers are able to follow that "include:" mechanism and verify it properly, but the tool in Marketo would still give an error due.

 

To determine whether the error is indicating that something is wrong with the record, or if it is simply due to the limitations of the tool in Marketo, you can use one of these third-party tools, once the SPF record is published, to make sure that the record resolves properly using any of the IP addresses that are included.:

 

These toosl will then process the full SPF record and let you know with a "Pass" response if the "include:" mechanism is working properly.

 

Who This Solution Applies To

Customers with an "include:" mechanism in the From Address domain SPF record.

 

Other Resources:

Common SPF Errors & Fixes

Quick Tip: Don't over include: in your SPF

Attachments

    Outcomes