When analyzing email headers for unauthenticated emails in mailbox service providers like Gmail, you can run into error messages that look like below from time to time:
Received-SPF: softfail (google.com: domain of transitioning account@domain.com does not designate some IP address as permitted sender)
Such an SPF softfail domain does not designate IP as permitted sender error message indicates that the email sender's IP address was not included in the SPF record on the sender domain, hence SPF failed.
When this happens, and if DKIM also fails, it will ultimately cause DMARC to fail, which negatively impacts email deliverability. Therefore, the domain administrator should take measures to fix it.
How to fix SPF softfail domain does not designate IP as permitted sender
Fortunately, this issue is relatively straightforward to fix. Simply add your sending IP address(es) to the SPF record on your email domain and this error message will disappear.
For example, if you are sending a message as bob@acmecorp.com from a host with the IP address 12.34.56.78, you need to add that IP address with the ip4 mechanism to the SPF record on acmecorp.com, so that the record looks like:
v=spf1 ip4:12.34.56.78 -all
This way, all outbound emails sent on behalf of acmecorp.com (including bob@acmecorp.com) from the host will pass SPF authentication.
If you need to add multiple IP addresses, you can use multiple ip4 mechanisms:
v=spf1 ip4:12.34.56.78 ip4:78.56.34.12 -all
If you are using an external email delivery service like Mailgun, you can use the include mechanism to "include" all of their hosts in your SPF record:
v=spf1 include:mailgun.org -all
This way, emails sent from any Mailgun hosts on behalf of acmecorp.com will pass SPF authentication.
You can also use other mechanisms available in SPF such as a, mx, etc., to define your IP address list. For more information, refer to: How to Set Up Sender Policy Framework (SPF): the Complete Guide.
Indirect mailflows
SPF can break in an indirect mailflow where forwarding occurs, as the intermediate server's IP address is different than the originating server's, and the former might not be designated as a permitted sender.
The good news is that, unlike SPF, DKIM results survive forwarding provided that email subject and content are not altered. Therefore, setting up DKIM as well is recommended to improve email authentication success rates.
Original post: How to Fix SPF Softfail Domain Does Not Designate IP as Permitted Sender
Top comments (0)