Does Netlify handle SPF records for my domain?

Netlify does not provide email hosting services. Your SPF record must be configured where your domain's DNS is managed. If you're using Hover as your domain registrar and their name servers, your SPF record needs to be added as a TXT record in your Hover DNS settings.

What is the correct SPF record for Hover hosted email?

The common mistake is including include:hover.com in your SPF record, as this is for Hover's corporate email, not customer accounts. The correct include for Hover's hosted email is include:_spf.hostedemail.com . Including the wrong domain can also lead to exceeding the 10-DNS-lookup limit.

Can I have multiple SPF records for my domain?

If you have more than one SPF TXT record for your domain, it will cause SPF authentication to fail. You should consolidate all authorized sending sources into a single SPF record , adding all necessary include mechanisms to it.

How long does it take for SPF changes to take effect?

After updating your SPF record, DNS changes can take time to propagate across the internet. This typically ranges from a few minutes to several hours, but in some cases, it can take up to 48 hours. You can use online DNS lookup tools to check the current status of your SPF record.

What if my SPF still fails after making these changes?

If SPF continues to fail, review your DMARC reports for detailed feedback on authentication failures. Ensure your record is a TXT type and doesn't exceed the 10-DNS-lookup limit. Double-check that all legitimate sending sources are included in your SPF record, and consult your email service provider's documentation for their recommended SPF entry. Finally, ensure your DNS is being managed by the correct provider (Hover or Netlify) where you made the changes.

How do I fix an SPF fail when using Hover and Netlify? - Troubleshooting - Email deliverability - Knowledge base

Setting up SPF records can be tricky, especially when you're using a domain registrar like Hover for your DNS and a hosting platform like

Netlify for your website. A common issue that arises is when your SPF record unexpectedly fails authentication, even after seemingly following all the right steps. This can prevent your emails from reaching their intended inboxes, often leading them straight to the spam or junk folder.

SPF (Sender Policy Framework) is a crucial email authentication method that helps prevent email spoofing and phishing by verifying that a sending server is authorized to send emails on behalf of your domain. Without a properly configured SPF record, recipient mail servers may flag your legitimate emails as suspicious, negatively impacting your email deliverability and domain reputation.

This guide will walk you through the process of diagnosing and fixing SPF failures specifically when your domain is managed by Hover and your website is hosted on Netlify, ensuring your emails reach their recipients reliably.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding SPF and DNS with Hover and Netlify

Sender Policy Framework, or SPF, acts as a list of authorized sending IP addresses and domains. When an email server receives a message, it checks the sender's domain's SPF record to verify if the sending IP address is included in the authorized list. If it is, SPF passes. If not, it can result in a softfail or a fail, indicating a potential unauthorized sender.

It's important to understand the distinct roles of Hover and Netlify in this context. Netlify is primarily a web hosting platform, responsible for serving your website files. It does not provide email services. Therefore, your email deliverability settings, including SPF, are not managed directly on Netlify. Instead, these records reside where your domain's DNS is hosted. Since your domain is managed by Hover, their DNS settings are where you'll need to configure your SPF record. You can confirm this on Netlify's community forums, where it's stated that Netlify has nothing to do with SPF records.

Historically, there was a dedicated DNS record type for SPF. However, this record type has been deprecated. The current standard is to publish SPF records as TXT records in your DNS. If your SPF setup failed, one of the first things to check is whether you've created a TXT record, rather than an older, unsupported SPF record type.

SPF records are TXT records

Standard: SPF records should always be published as TXT records in your DNS.
Deprecated: The dedicated SPF record type (type 99) is no longer used by mail servers. Relying on it will cause authentication failures.

Common SPF configuration pitfalls

One of the most frequent causes of SPF failures, especially when using email hosting services like Hover, is an incorrectly formatted SPF record. The common mistake is including include:hover.com directly in your SPF record, along with include:_spf.hostedemail.com. The hover.com include is intended for Hover's corporate email, not for customer-hosted email. Including it unnecessarily bloats your SPF record with irrelevant lookups.

This leads to another critical issue: the 10-DNS-lookup limit for SPF records. An SPF record is allowed to have a maximum of 10 DNS lookups to validate the sending server. Each include, a, mx, and ptr mechanism in your SPF record counts as a lookup. If you exceed this limit, your SPF record will fail authentication, even if the content is otherwise correct. The hover.com include itself can consume multiple lookups, pushing you over the limit when combined with other legitimate includes. This is a common cause for SPF to exceed the DNS lookup limit.

SPF 10-DNS-lookup limit

Critical limit: An SPF record cannot have more than 10 DNS lookups. Exceeding this will cause SPF validation to fail.
Common culprits: Each include, a, mx, and ptr mechanism counts as one lookup. Some include statements can lead to further nested lookups, quickly reaching the limit.

Another common pitfall involves DNS management itself. When you use Netlify for hosting, you might have updated your domain's name servers to point to Netlify. If Netlify is now handling your DNS, you must ensure that all your email-related DNS records (like SPF, DKIM, and MX) are correctly migrated and configured within Netlify's DNS settings, not on Hover. If Hover is still managing your DNS, then your records need to be there. This confusion about where the active DNS is managed is a frequent source of intermittent email delivery failures.

Steps to fix your SPF fail

To correctly fix your SPF fail when using Hover and Netlify, the first step is to identify all legitimate email sending sources for your domain. This might include Hover's hosted email service, a marketing email platform, or any other service that sends email on your behalf. Each of these services will have its own SPF mechanism that needs to be included in your single, consolidated SPF TXT record. If you are exclusively using Hover's hosted email, the fix is straightforward.

Next, you will need to log into your Hover control panel, navigate to the DNS settings for your domain, and locate your existing SPF (TXT) record. You can find detailed instructions on Hover's support website for creating an SPF record. Carefully examine the record and remove any unnecessary includes, specifically include:hover.com. Your primary SPF mechanism for Hover's hosted email should be include:_spf.hostedemail.com.

Once you have the correct SPF record, update the existing TXT record or create a new one if it doesn't exist. Remember, you should only have one SPF TXT record per domain. Multiple SPF records can invalidate your configuration and lead to authentication failures. After making the changes, allow some time for DNS propagation. This can take anywhere from a few minutes to several hours, depending on your DNS provider and regional DNS caching. You can use an online DNS checker to verify that your updated record has propagated correctly.

Corrected SPF TXT record for Hover hosted emailDNS

v=spf1 include:_spf.hostedemail.com ~all

Incorrect SPF record

Record: v=spf1 include:_spf.hostedemail.com include:hover.com ~all
Problem: Includes unnecessary hover.com include, often pushing past the 10-lookup limit.

Correct SPF record

Record: v=spf1 include:_spf.hostedemail.com ~all
Solution: Includes only the necessary Hover hosted email SPF mechanism.

Advanced troubleshooting and monitoring

While SPF helps with basic authentication, for comprehensive email security and deliverability, you should also implement DKIM and DMARC. DMARC (Domain-based Message Authentication, Reporting & Conformance) leverages both SPF and DKIM to provide reporting on authentication failures and allows you to instruct recipient mail servers on how to handle emails that fail authentication (e.g., quarantine or reject them). This gives you visibility into any ongoing SPF failures.

Continuous monitoring of your email deliverability is key. Even after fixing your SPF record, issues can arise from other factors, such as being listed on an email blocklist (or blacklist). Tools for DMARC monitoring and blocklist checking can help you stay on top of your email performance and proactively address any new problems. Regularly checking your DMARC reports will provide insight into which SPF (or DKIM) records are passing and failing, helping you troubleshoot further.

Views from the trenches

Best practices

Always consolidate all your legitimate SPF mechanisms into a single TXT record for your domain.

Regularly review your DNS records, especially after changing email service providers or adding new sending sources.

Ensure your SPF record does not exceed the 10-DNS-lookup limit, as this causes authentication failures.

Utilize DMARC reporting to get granular feedback on SPF authentication results and identify issues.

Consult the official documentation of your email service provider for their recommended SPF configuration.

Common pitfalls

Creating multiple SPF TXT records for the same domain, which invalidates SPF entirely.

Including unnecessary SPF mechanisms, like corporate SPF records from your registrar (e.g., 'include:hover.com').

Failing to update DNS records at the correct DNS provider (Hover vs. Netlify, depending on name servers).

Overlooking SPF failures in DMARC reports, leading to ongoing deliverability issues.

Not accounting for all legitimate sending services when constructing your SPF record.

Expert tips

If you are using a third-party email service with Hover, ensure their specific SPF include is in your record.

For complex setups, consider an SPF flattening service to manage lookups under the 10-limit.

Implement DMARC with a 'p=none' policy initially to monitor SPF results without impacting delivery.

Always test your SPF record with an online validator after making changes to catch errors early.

Document all your DNS records for easier troubleshooting and future reference.

Expert view

Expert from Email Geeks says that SPF records are obsolete and that a TXT record with the same content is needed. They confirmed the user's domain had an SPF record but no TXT record.

2024-03-26 - Email Geeks

Expert view

Expert from Email Geeks says not to include 'hover.com' in the SPF record because it adds corporate includes that are unnecessary. The include for '_spf.hostedemail.com' should be sufficient for sending from their email system.

2024-03-26 - Email Geeks

Ensuring SPF success with Hover and Netlify

Fixing an SPF fail when using Hover and Netlify primarily involves correctly configuring your SPF TXT record at your domain's DNS provider, which is typically Hover in this scenario. The key is to avoid including include:hover.com and to ensure your record stays within the 10-DNS-lookup limit. By correctly specifying include:_spf.hostedemail.com and any other necessary email services, you can achieve a passing SPF authentication.

Maintaining accurate DNS records is fundamental to email deliverability. Always verify your DNS settings, confirm propagation, and use DMARC to monitor your authentication results. This proactive approach will help ensure your emails consistently reach their recipients, enhancing your communication and reputation.