"SPF Configuration Error" notification on redirected SPF record

Version 2

    Issue Description

    Marketo is giving an "SPF Configuration Error" despite the sending domain SPF record being set properly using an "include:".

     

    Issue Resolution

    SPF records have a limit of 10 look-ups that can be included in the record, so if your Marketo sending domain is also used to send emails from several other systems, your IT team may need to use an "include:" mechanism in the record in order to make sure that Marketo's sending IPs are included.

     

    The tool in Marketo that verifies that your SPF record is configured properly is not able to follow such an "include:", so you will get a notification in your instance that states "SPF information for {your sending domain} is not configured correctly in the domain's DNS record".

     

    For example, if your SPF record was set up as:

     

    "v=spf1 include:spf.protection.outlook.com include:_spf.salesforce.com include:amazonses.com include:mktomail.com ~all"

     

    All the references in the SPF record are "include:" mechanisms that reference the other companies sending IPs:

     

    spf.protection.outlook.com contains

    "v=spf1 ip4:207.46.101.128/26 ip4:207.46.100.0/24 ip4:207.46.163.0/24 ip4:65.55.169.0/24 ip4:157.56.110.0/23 ip4:157.55.234.0/24 ip4:213.199.154.0/24 ip4:213.199.180.0/24 include:spfa.protection.outlook.com -all"

     

    _spf.salesforce.com contains

    "v=spf1 ip4:85.222.130.192/26 ip4:85.222.138.192/26 ip4:96.43.144.0/20 ip4:136.146.128.64/27 ip4:136.146.208.0/21 ip4:136.147.32.0/19 ip4:182.50.78.64/28 exists:%{i}._spf.mta.salesforce.com -all"

     

    amazonses.com contains

    "v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all"

     

    mktomail.com comtains

    text = "v=spf1 ip4:199.15.212.0/22 ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24 ip4:72.32.243.0/24 ip4:94.236.119.0/26 ip4:37.188.97.188/32 ip4:185.28.196.0/22 ip4:192.28.128.0/18 ip4:103.237.104.0/22 ip6:2a04:35c0::/29  ~all"

     

    In this situation, all of the required sending IP addresses are included in the SPF record, and recipient mail servers are able to follow that "include:" mechanism and verify it properly, but the tool in Marketo would still give an error due.

     

    To determine whether the error is indicating that something is wrong with the record, or if it is simply due to the limitations of the tool in Marketo, you can use one of these third-party tools, once the SPF record is published, to make sure that the record resolves properly using any of the IP addresses that are included.:

     

    These toosl will then process the full SPF record and let you know with a "Pass" response if the "include:" mechanism is working properly.

     

    Who This Solution Applies To

    Customers with an "include:" mechanism in the From Address domain SPF record.

     

    Other Resources:

    Common SPF Errors & Fixes

    Quick Tip: Don't over include: in your SPF