This article contains FAQs regarding the SPF record in general and Valimail's SPF Macro in particular.




TABLE OF CONTENTS





If I point SPF to Valimail, will that cause mail delivery problems?


Pointing SPF to Valimail is perfectly safe and it will not cause any deliverability issues if your domain is at DMARC policy p=None.

Pointing SPF to Valimail will not change the contents of the SPF record on the domain you perform the pointing for, this action just means 2 simple things:


1. You will be transferring management of the SPF from your DNS to the Valimail platform.

2. It will allow you to use Valimail's patented SPF Macro technology with the help of which you can have as many approved and configured services as you want for your DNS, without having to ever worry about the 10 SPK lookup limit anymore.


Related articles:

Why it's safe to point SPF/DKIM/DMARC to Valimail 

Pointing an SPF record to Valimail




I pointed SPF to Valimail, but it's not reflecting that in the platform. Why is that?


This can happen due to multiple things:


1. If you set the TTL higher than what is recommended in the instructions (300 seconds), this DNS change will take a bit longer until it finishes propagating through the internet. This change does reflect when you dig your domain for the SPF record, as shown here: https://toolbox.googleapps.com/apps/dig/

2. It looks like the SPF pointer record was added before the previous v=spf1 record in your DNS was removed. In order to properly point SPF to Valimail, you will first need remove from your DNS any TXT record containing v=spf1. 

After that is done, then create a TXT record named for your domain and add this value: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

3. It looks like the SPF pointer record was improperly published/added. Please modify the SPF TXT record in your DNS and make it contains only this value: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

4. It looks like you have another 1 or more includes added before the Macro include formula in your SPF pointer record.

Please modify the SPF TXT record in your DNS and make it contains only this value: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all


Related articles: 

Pointing an SPF record to Valimail

Valimail SPF Records





What are Custom Directives for?


We do not recommend that you use the Custom Directives in the platform, because usually they cause more problems than solutions.

Any SPF validation and check is to be performed though the Enabled Senders list and Netblocks list and if you add a service or IP in there, that is more than enough to count for you whitelisting that service/IP in your SPF record.

In general, the Custom Directives allow the inclusion of "custom" SPF responses through the Macro. The downside of that is that it will be added to all responses, so if a response is already close to the 10 DNS SPF lookups, it could cause an issue with the response.

We have often found that when people think they need to use it, it is because they do not know what the specific SPF response is for a sender.

If you find yourself in this situation at any moment, you can reach out to Valimail Support and have us help you. We can either help you find the sender in question or if it is an new sender, we can help to add it to the system (to the Enabled Senders list).





I added a service/IP to the Enabled Senders/Netblocks list and the emails are still failing. Why is that?


Adding a sending service or IP to your SPF in the platform, will not guarantee that email will pass DMARC with SPF for your domain.

That only takes care of half the problem, which is you whitelisting that service/IP for your domain. However, if those emails are not sent in SPF alignment for your domain, they will not pass DMARC.

Once you have added the respective service/IP on your domain's configuration in the platform, you will need to contact your service administrator (person/team in your organization that has set up that service to send emails on behalf of this domain) and let them know they will need to turn on SPF alignment in their admin console for your domain. That will enable those emails to be sent in SPF alignment for your domain and thus, pass DMARC with SPF.


Related articles:

DMARC Alignment

DKIM and SPF alignment




How does the Valimail SPF Macro actually work?


Pointing SPF to Valimail will basically allows you to leverage our patented instant SPF technology. That is why performing this step is a very important part or the onboarding process.

Through our patented instant SPF technology, we leveraging Macros from the SPF specs using the brackets below, so that when a query is done by the receiver's gateway, the SPF Macro will fill in the blanks of what's needed for any receiver that's out there so that whatever you say you use, will automatically be aligned for SPF once we add it to this list. That is we need to make sure that the Enabled Senders list only represents what you officially use.


The Macros that Valimail uses are as follows:


${i} - The IP address of the server that sent the email

${h} - The EHLO/PTR name of the server that sent the email

${d} - The Mail From domain


Therefore, when an email receiver will see this, it will recognize it's an SPF Macro and it will see the correct values for the respective queried item. In doing so, our response will be just for that sending service/specific IP.

So if an email comes from M365 for example, we do not respond with your whole SPF record containing all your services, like a regular DNS host does for example - we will only respond with the specific SPF include for M365.

This is the instant and targeted response that the SPF Macro brings to the table and what sets it miles apart from the way DNS hosts are responding to these queries. This action described above, allows the SPF Macro to act as an umbrella, underneath you can have as many services and IP as you want, without ever having to worry about the 10 SPF lookup limit anymore.


Related article:

Video guide to querying SPF Macros




I noticed that some services we use are missing from your Enabled Senders list. Is it safe to point SPF to Valimail now?


We typically do not do a direct mirror of the SPF record, nor do we encourage this as a practice.

Our SPF approach is a service based approach, which translates into a targeted and instant SPF response. The reasons for that are multiple:


1. There are many smaller services that might be using bigger ones under the hood for SPF configuration.


2. You could have deprecated services and IPs in your current SPF record and the Enabled Senders list must only represent the services/IPs you are currently using.


3. Sometimes vendors can give out incorrect info and you do not want to mirror something that is not directly approved by you.


With that said, you can confidently point SPF to Valimail, as any configuration work like adding new services and/or Netblocks can be performed after that as well. This will not cause any email deliverability problems for you, because you are not enforcing DMARC at present time - your DMARC record being p=None.


Related article:

I can't find a sender in the email service provider configuration list




I have enabled that service in the SPF on my domain. Why do I see emails from it that are passing with DMARC Override?


When an email has the Override policy applied to it, that email is not considering as passing DMARC, unless it passes with either SPF or DKIM. The Override policy is applied by the receiver, which chooses to disregard your DMARC policy when it comes to that email and just allow the email to be delivered, even though it might not be authenticated properly.


When utilizing DMARC reporting, policy overrides might be a situation your company encounters, especially if your emails are being delivered to a large and wide variety of customers. Essentially, a DMARC policy override occurs when an email recipient decides to override the policy that you have specified in your DMARC record.


Typically, when a receiver's email gateway choses to receive an email and apply a DMARC Override policy regardless of what the sender's DMARC policy is, it generally does so because it trusts the source of that email.

For example, a policy override could happen when you have a DMARC policy of reject (p=reject) and your outbound email goes through a mailing list, which breaks both SPF and DKIM. In this instance, DMARC will fail; however, the receiver may decide to override your policy and accept the email because they know and trust the source.


In conclusion, a DMARC Override policy does not necessarily mean that email is DMARC authenticated - it just means that the receiver chooses to ignore that. You still need to check in the email header and make sure the email is passing SPF and/or DKIM.


Related articles:

What is DMARC Override?




My SPF record has the hardfail enabled. Why is Valimail's SPF record ending with a softfail? How will this affect our SPF response?


Every SPF record includes the “all” mechanism, which serves as a default match for anything not listed in the SPF record. The “all” mechanism is expressed with one of the following qualifiers, each of which causes the evaluation result shown:


  "+" pass

  "-" fail

  "~" softfail

  "?" neutral


For example, a domain that includes “+all” in its SPF record will always receive an SPF result of pass for every message, regardless of whether or not it was actually sent by or on behalf of the domain.


According to RFC 7208, the SPF specification, a “fail” result (often called a “hard fail”) means that the domain is explicitly saying that the host is not authorized to send mail using this domain, while a “softfail” is a weaker statement saying only that the host is probably not authorized. The two can be treated differently by receiving domains, especially older mail systems; a “hardfail” result sometimes means immediate rejection of the message, while a “softfail” rarely causes a bounce by itself (although it can contribute to a decision to deliver the message to a spam folder or reject it outright). 


The recommendation from the Email Authentication Best Practices document is that when a receiving domain is doing the  DMARC validation, a DMARC pass should override any SPF “fail” except in the specific case where a domain’s SPF record indicates that it sends no mail (“v=spf1 -all”). The recommendation means that no message should be rejected due solely to SPF hardfail, but unfortunately, not all domains follow this best practice. This means that use of the “-all” mechanism puts a domain’s legitimate mail at higher risk of rejection than does “~all”, and so Valimail recommends that all of its customers use “~all” in their SPF records in order to ensure that each valid message is given the full opportunity to receive a DMARC pass verdict.


Related article:

Why Valimail Uses an SPF Soft Fail and Not a Hard Fail




In what instance would we add a Netblock to the list?


Normally, there are 2 scenarios when you need to add an IP in the Netblocks section on your domain:


1. If you have an internal IP that is sending emails on behalf of your domain, you will need to add it in your Netblocks and make sure the emails sent by that IP, are being sent in SPF alignment for your domain.

2. If you are using just 2 IPs from a certain service for example, it is advisable that you only add those 2 specific IPs in the Netblocks section, instead of adding the entire service in your Enabled Senders list - the reason being that you do not want to add extra IPs from that service that should not be authorized.


Related article:

What are Internal Sources?




How can I tell if an email is passing SPF?


The best and simplest way to see if an email is passing SPF for your domain is to check a certain detail in the full email header.

You will need to look in the full email header to where the Authentication Results section is and to check if the visible header.from is aligned with the smtp.mailfrom (return path/envelope from). In your case, they both need to be your domain (the domain the email in sent on behalf of).

If those 2 are aligned, it means that email is SPF aligned and it will pass DMARC with SPF.


Example:


1. If an email is sent with a From address of sales@example.com and the Return Path is mail.example.com. In this case, the email is considered to be SPF aligned.

2. If an email is sent with a From address of sales@example.com and the Return Path is mail.acme.com. In this case, the email is not SPF aligned.


Related article:

DMARC Alignment




What happens if we stop pointing SPF to Valimail?


If your domain will stop pointing SPF to Valimail, it means that the SPF for that domain can no longer be managed from the platform.

Additionally, that will mean that the Valimail SPF Macro will no longer respond to any email queries. If you stop pointing SPF to Valimail, you will need to make sure you create an SPF record in your DNS for that domain, SPF record that will include all the services and IP's that you have added in the Valimail configuration, to make sure there will not be any email deliverability issues if your DMARC policy is at Enforcement.


Please note that if you have more than 10 services and/or Netblocks in your Valimail configuration, going back to managing the SPF from your DNS will cause the 10 SPF Lookup limit problem that any DNS host has, therefore your SPF domain will need flattening and adjustment to ensure proper responses to all the sending services.


If you plan to continue to manage SPF through the Valimail platform, stopping the SPF pointing to the platform is not advisable nor desired, primarily due to the adverse effects and possible issues mentioned above.





What is SPF flattening?


It is very common for organizations, when constructing or modifying their SPF record, to run up against the 10 DNS lookup limit. This limitation restricts the number of DNS lookups that can be performed when an SPF record is evaluated.


SPF records usually contain ‘include’ statements that refer to other domains' SPF records to list servers that are allowed to send on behalf of the organization’s domain. Any parts of the SPF record that are listed after the 10th lookup has been reached will not be evaluated. This means that although you have listed something in your SPF record, it may not be evaluated, causing legitimate services to fail authentication via SPF.


Related article:

SPF Flattening




What are Forwarders?


Forwarded emails, in this context, are emails that are sent to one email address but then automatically forwarded to another email address. This is different from a recipient of an email manually forwarding this to someone else.


Some people see forwards as a big problem when looking at DMARC. Forwards are, however, a very small percentage of overall emails so this is not a large issue. There is also work underway  in the standards bodies to address this (See ARC below). Valimail is following this closely and has contributed open source code and is an editor on the proposed ARC standard.


The classic example of forwarding is as follows:


A person has an alumni email address from a school they attended that they use as their 'public' email address (The address that they tell people to email them at). In this case however, the person has configured their alumni account to automatically send all of these emails onto the person's Gmail (or other) account. 


Related article:

Problems You May See Due to Forwarders and What To Do

What are Forwards?

Mailing Lists