Can someone talk to me about SPF validation? We have the Email Deliverability PowerPack (250ok)which shows whether DKIM and SPF are valid for each email send (among other things).
Every few sends, the 250ok tool shows our SPF as failing. However, when when I run the DSN check in the Marketo admin area, our DKIM and SPF are verified, and there are clicks and opens in the email performance report. Maybe I'm misunderstanding what the 250ok tool is supposed to be telling me. Maybe the seed list doesn't match our actual audience closely enough. Maybe something really is wrong with our SPF.
How can I troubleshoot this?
This is what I got from the 250ok support site. I'd recommend starting with these. Similarly, I'm sure you can contact their support team for further assistance.
It’s not uncommon for DKIM or SPF records to be partially invalid. This can stem from a number of issues:
When any of these issues are the case, we make sure to point out the specific ISPs that are having issues so you can better diagnose the problem:
I'm not familiar with the Email Deliverability PowerPack but try checking your SPF record on a website like this one: https://mxtoolbox.com/spf.aspx
It should tell you WHY your record is invalid. Our SPF record was recently invalid because it had too many DNS lookups (the max is 10). However, it has always said it was verified in Marketo. I think Marketo might just verify that it exists rather than verifying that it is valid.
Even though our SPF record was invalid, we didn't notice any deliverability or engagement issues. But we still removed a lookup that we no longer needed because it was added when we were using a different emailing platform. Our record is back to valid now. Hope this helps!
I think Marketo might just verify that it exists rather than verifying that it is valid.
Absolutely right! And that's why it's really dangerous to include Marketo's SPF in your SPF when you don't need to. I've written extensively about these issues at https://blog.teknkl.com/tag/spf/.
Even though our SPF record was invalid, we didn't notice any deliverability or engagement issues.
If you aren't using a branded envelope sender in Marketo, SPF doesn't matter at all.
But if you break your main corporate domain's SPF, it's non-Marketo emails that are affected (by not getting the positive weight of an SPF PASS, which to be fair isn't the same as an SPF FAIL). And it also allows malicious people to impersonate your corporate domain, in direct contradiction to the reason you'd have SPF in the first place.