Is there something wrong with my SPF record?
What should my SPF record say?
If you have complex requirements, the specifications for what an SPF record can contain allows you be fairly creative, but the vast majority of users will in general need something very simple.
In most cases the published SPF record should say:
"Mail from this domain only ever comes from servers on this list. Everything else is forged."
By setting up a good SPF record you are taking a step to prevent forgery by criminals who might otherwise abuse your domain name.
Many SPF records are incorrectly formed.
Sometimes it was perfectly correct when it was first deployed but it has been forgotten; then changes in your email infrastructure (for example a change of email provider) mean that it's no longer appropriate. Then the old record might well be telling the world,
"All the mail that I send is forged!"
Many receivers ignore your SPF record (perhaps they don't care about forgeries) and your mail isn't rejected by them.
The trouble then is that when you send mail to us, it is rejected, so you think it must be our problem. Unfortunately, it isn't our problem or we'd fix it.
Our systems Do The Right Thing.
If you have a problem it's up to you to get it fixed.
We can help, and we can tell you what the problem is (in terms that you will understand), but we don't have the authority to fix the problem for you unless you give it to us.
But nobody else says that anything's wrong!
People often say:
This flawed logic misses several points.
When you're talking about SPF, what matters is what is not delivered.
If you have a broken SPF record, some mail systems will ignore it. They will behave as if it does not exist. They usually won't tell anyone about this - not even the administrators of the systems which ignore the record.
If you have a broken SPF record, many mail systems will not notice unless the mail really is forged. For mail which is not forged these systems will behave as if the SPF record is valid, and produce a 'pass' result for the genuine mail. And (unless you happen to be in the throes of an attack at the time) since most of the mail claiming to be from your domain probably is genuinely from your domain, you just see a lot of 'pass' results and that gives you confidence that things are OK when they are not.
But these systems will also not reject mail which is forged to look like it came from you on the basis of a failed SPF test because it is not possible to use the broken record for the checks.
Before our systems use your SPF record to check if it passes or fails your mail, they first check that the SPF record itself is valid. Usually, if your SPF record is broken, our systems will reject all mail from you.
Some systems don't work properly and even if they do check your SPF record, they ignore errors in it.
If you have a good SPF record, mail forged to look like it came from you will be refused only if the recipient checks your mail against your SPF record. But if the recipient doesn't check it, then they simply won't know if the mail is forged or not. They may rely on other ways of deciding whether or not to accept it, or they may just accept it.
Our systems never ignore your SPF record.
Our systems always test your SPF record.