All Collections
FAQ
SPF
What should I do if I get an Email Bounceback Message or NDR that contains an SPF error?
What should I do if I get an Email Bounceback Message or NDR that contains an SPF error?

Troubleshooting NDR bounceback emails

Updated over a week ago

Valimail Note

On rare occasions, we get a ticket from a customer that has issues sending emails to a specific receiver.

We have noticed a pattern for all these tickets and were able to discover the root cause for them.

If you have this issue, please see the most likely scenario below and a temporary fix:

Preconditions

  • Domain was recently moved to reject

  • The reported issue is coming from a sender with a good passing rate and with no visible issues in the GUI Reports

  • DKIM is also turned on for the affected sender

  • You get an email bounceback from a receiver or an NDR generated by your gateway that shows details about an SPF error and a DMARC fail similar to this:

a screenshot of a computer screen

a screenshot of a email

The example above is an NDR (Non-Delivery Report) generated by Microsoft. The NDR will also contain the name of the server or gateway that rejected the message.

Root Cause

  • The receiving gateway is not able to correctly parse SPF Macros. They either modify the ehlo name of the sending server prior to checking SPF or they straight reject the email when they see the SPF record is not readable by their gateway and it does not contain the expected include statement.

  • The receiver sends an SPF validation error or temperror back to the sender and they do not go further and check DKIM signing after the SFP error


โ€‹

Solutions

  • Ideally, the receiver should upgrade/update their mail gateway to correctly translate SPF macros as these are part of the SPF standard and have been for a long time now. However, this might be a lengthy process and a temporary fix needs to be applied;

  • Workaround 1: The receiver whitelists the sending IPs/sending domain in order to accept your emails even if they believe they are failing DMARC authentication. This might be dangerous as it will also open up the receiver to spoofing attempts coming from your domain if not setup correctly;

  • Workaround 2: The sender (you) add the SPF include statement of the Sender to your SPF record after the Valimail Macro so that the receiving gateway is able to accept the emails based on that. Please note that this should only be temporary and that we do not recommend adding other include statements after the Macro. The Valimail SPF Macro alone should take care of all SPF authentication checks, however, this is an exception and should be treated accordingly.

If your issue does not match the above, please contact Valimail Support and we will provide another solution to your problem.

Did this answer your question?