What should I do about a weird SPF domain/IP sending from my client's domain?

Key findings

• Spoofing indication: An unfamiliar SPF domain or IP often suggests that someone is attempting to send emails pretending to be from your client's domain (email spoofing).
• Authentication failures: Even if DKIM is properly configured by a recognized sender like Klaviyo (using a selector like kl), an SPF authentication failure on an unrecognized domain or IP means the message's origin cannot be validated by SPF.
• Deliverability impact: Such failed authentications, especially SPF fails (even if DKIM passes), can significantly hurt email deliverability, causing emails to land in spam or be rejected. For more on this, see our guide on why emails go to spam.
• DMARC policy effects: The impact of these failures on inbox placement largely depends on the DMARC policy (p=none, p=quarantine, or p=reject) set for your client's domain.

Key considerations

• Verify legitimacy: Confirm with your client if the suspicious domain or IP is associated with any legitimate third-party senders or services they might be using (e.g., marketing platforms, transactional email services, or even auto-forwarding setups) which may require updating their SPF record.
• Review SPF record: Carefully review your client's SPF record for any discrepancies or missing inclusions. Incorrectly configured SPF records are a common cause of such issues. MxToolbox provides a helpful SPF record checker that can assist with this analysis.
• Implement DMARC: If not already in place, implementing DMARC with a policy stronger than p=none (e.g., p=quarantine or p=reject) is the most effective way to combat domain spoofing and ensure receiving servers know how to handle unauthenticated mail. Learn more about how to transition your DMARC policy.
• Monitor DMARC reports: Even with a p=none policy, DMARC reports provide invaluable visibility into who is sending email purporting to be from your domain, whether authorized or not.

Key opinions

• Initial suspicion of spoofing: The first reaction to a strange SPF domain or IP is often that the domain is being spoofed. This is a common and valid concern. We have more on what to do if your domain is spoofed.
• DMARC policy as a solution: Marketers frequently suggest tightening DMARC policies from p=none to p=quarantine or p=reject to address unauthorized sending, especially if compliance rates are high.
• Limited direct action: Some marketers believe there's limited direct action one can take against spoofing beyond implementing strong authentication protocols, as receiving mail servers are often sophisticated enough to detect fraudulent emails regardless.

Key considerations

• Using diagnostic tools: Leverage online SPF check tools (like MXToolbox mentioned in a forum) to understand the SPF record configuration and identify the problematic entry.
• Checking DKIM alignment: Even if SPF is failing, checking the DKIM signature and domain can help identify if a known sender (like Klaviyo or SendGrid) is involved, potentially due to forwarding or specific email service provider configurations.
• Client communication: It is essential to consult with the client to determine if the suspicious domain or IP is somehow connected to their legitimate operations or lead lists, as this could reveal an overlooked integration.
• Understanding DMARC enforcement: While tightening a DMARC policy is a good step, marketers should be aware that not all receiving mail servers strictly enforce quarantine or reject policies. However, strong DMARC policies are still a critical defense against spoofing, as outlined in this Quora discussion on email spoofing.

Key opinions

• Spoofing or forwarding issues: Experts often attribute unexpected SPF failures (especially if DKIM aligns) to domain spoofing or indirect auto-forwarding that breaks DKIM signatures or causes SPF PermErrors.
• Importance of DMARC policy: Experts strongly advocate for setting a DMARC policy stronger than p=none. A stricter policy (quarantine or reject) signals to receiving mail servers how to handle unauthenticated mail, helping to prevent abuse. This aligns with advice given on Word to the Wise regarding DMARC implementation.
• Recipient server intelligence: While DMARC policies are crucial, experts acknowledge that recipient mail servers are sophisticated enough to detect and filter spam or spoofed emails even without a strict policy, often sending them to spam folders regardless.
• Proactive policy setting: Mailbox providers prefer senders to set explicit DMARC policies. Failure to do so might compel them to enforce a policy on behalf of the sender if the domain is abused, underscoring the benefits of taking control of your DMARC configuration. Our article on the benefits of implementing DMARC provides further details.

Key considerations

• Investigate DKIM: If DKIM is recognized (e.g., using a known selector like kl for Klaviyo) but SPF fails, investigate potential issues like auto-forwarding or specific ESP configurations that might be causing authentication breaks. This is often the first step in troubleshooting SPF/DMARC settings.
• Review DMARC reports for anomalies: Regularly analyze DMARC reports (even at p=none) to identify unauthorized sending sources and ensure all legitimate senders are properly authenticated before moving to stricter DMARC policies. Our guide on troubleshooting SPF and DMARC settings can assist.
• Progressive DMARC adoption: Transition DMARC policies gradually (e.g., from p=none to p=quarantine, then p=reject) while continuously monitoring reports. This phased approach minimizes the risk of inadvertently blocking legitimate email. Spam Resource often provides insights into best practices for DMARC deployment.

Key findings

• SPF validation: SPF (Sender Policy Framework) is designed to prevent sender address forgery by allowing domain owners to specify which IP addresses are authorized to send mail on their behalf. An SPF failure means the sending IP is not authorized.
• DMARC for policy enforcement: DMARC (Domain-based Message Authentication, Reporting, and Conformance) leverages SPF and DKIM to provide domain owners with the ability to instruct receiving mail servers on how to handle emails that fail authentication. This includes reporting, quarantining, or rejecting such messages.
• Authentication alignment: For DMARC to pass, either SPF or DKIM must align with the From header domain. If an unexpected SPF domain causes a failure, it implies a lack of alignment for that specific flow, even if DKIM is otherwise valid.
• Spoofing detection: Receiving mail servers utilize SPF and DKIM authentication to detect email spoofing. If these checks fail, especially for a domain that is typically well-authenticated, it signals a potential fraudulent attempt. More details on SPF records can be found in this Mailgun article.

Key considerations

• Correct SPF syntax: SPF records must adhere to specific syntaxes and rules. Errors in configuration can lead to false positives or negatives, impacting legitimate email delivery. Double-check for common mistakes like multiple SPF records or exceeding the 10-lookup limit.
• Comprehensive SPF inclusion: Ensure that the SPF record includes all legitimate sending sources (ESPs, marketing platforms, transactional email services). If an authorized IP is missing, it will cause SPF authentication to fail for emails sent via that source.
• Gradual DMARC policy deployment: When deploying or updating a DMARC policy, it is recommended to start with p=none to collect reports and identify all legitimate sending sources before moving to stricter policies like p=quarantine or p=reject. This phased approach helps prevent accidental blocking of valid emails, as discussed in Duocircle's guide on fixing SPF records.