Why are my SPF Pass Rates so low?

SPF is an important technology for email delivery.  If your email is not SPF compliant, then it is highly unlikely that an Inbox Provider will deliver the email to the recipient’s inbox.  Inbox Placement is key to getting your message heard and SPF compliance is key to making the Inbox.  MxToolbox Delivery Center provides a comprehensive resource for understanding and managing SPF, DKIM and DMARC compliance, but there are few things you need to know about SPF regardless of the tools you choose.

SPF Compliance

To be SPF Compliant, an email must SPF Authenticated and SPF Aligned.  The standard provides a strict compliance that also allows a domain to designate 3rd parties as valid senders.

SPF Authentication

An email is considered SPF Authenticated when the email originates from an SMTP server on an IP address that is contained in the sending domain’s SPF records.  This enables a business to designate a 3rd party emailer as a valid sender of email.  

SPF Alignment

SPF uses the header of the email to determine Alignment.  An email is considered SPF Aligned when the domain in the “From:” address of the email is the same as the domain in the Return-Path field of the header or with a domain that is Authenticated with the valid list of senders in the SPF record.

MxToolbox SPF Pass Rates

MxToolbox has two metrics useful for understanding SPF Compliance: SPF Authentication Rates for Aligned Domains and SPF Pass Rates for Verified Sources.  These metrics enable you to report upon and analyze your email providers for areas to improve upon.

SPF Authentication Rates for Aligned Domains

As part of our SPF management processes, MxToolbox Delivery Center gathers a list of valid return path domains and subdomains and analyzes the amount of email from these SPF Aligned domains that is properly SPF Authenticated.   Email that is Aligned but not properly Authenticated indicates that one or more email senders are missing from your SPF records, or that your SPF records are too large and violate SPF include rules.  You will need to add the missing senders to your SPF record or use an SPF Flattening tool.

SPF Pass Rates for Verified Sources

As part of MxToolbox Delivery Center, we automatically detect the sources that are sending email on behalf of your domain. These include your own servers, your corporate Inbox Provider, 3rd party marketing tools, CRMs, etc.  Verified Sources should be in your SPF records, meaning they should be Authenticated. 

Our second analysis looks at the SPF Alignment rates for each of these Authenticated senders – the SPF Pass Rate.  A low SPF Pass Rate for a sender indicates that the sender’s “From” and “Return-Path” domains are not the same or not contained in your SPF record.  Unknown sources that arise from this analysis could be threats to your brand or rogue senders that need to be added to your SPF records.

There are potentially several reasons for low SPF Pass Rates for Verified Sources:

  • Spoofing – A malicious actor is trying to use your domain to legitimize their spam or malware.
  • Forwarding – Many people use inbox forwarding or mailing lists to manage email distribution or aggregate email. Forwarded email will change the return-path, breaking SPF Alignment.
  • Missing Senders – Someone may have legitimately contracted with a 3rd party emailer and failed to add the full or correct entry to the SPF record. The sender could be SPF Aligned, but not Authenticated.

To fully understand why your SPF Pass Rate for a Verified Source you need to investigate the largest sources of misaligned email, SPF Unaligned Domains. Typically, you will see benign domains like gmail.com, googlemail.com, and other subdomains of legitimate senders. Occasionally, you’ll see large volumes from other sources, which could be benign or fraud. Investigating these can improve your email delivery.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.