SPF Soft Fail — Everything about SPF Failures

GlockApps (G-Lock Software)
3 min readOct 14, 2021


SPF is an important form of email authentication that reduces the number of spammers that succeed on the web. Thus, there are many factors that can cause your SPF records to fail to cause SPF soft fails, SPF hard fails, and other SPF failures.

Read this article to learn more about SPF, SPF failures, how to avoid them, and how SPF authentication affects DMARC.

What is SPF?

SPF or Sender Policy Framework has helped protect millions of domains against spoofing and prevents legitimate outgoing email messages from being marked as spam. Sender Policy Framework, along with DKIM, DMARC, and BIMI make up the building blocks of email authentication.

SPF, or Sender Policy Framework, is a type of email authentication protocol that defines which mail servers and applications, are allowed to send from your domain.

You can think of your domain as a new car. Before you take your car out on the road, you need to make sure you have a valid insurance policy that covers everyone who drives.

How Does SPF work?

SPF is a TXT record that is published within the DNS settings of your domain hosting provider.

Every time you send an email, you must go through your recipient’s spam filters and firewalls. This is similar to going through a police checkpoint. The police will first check your DNS settings to see if you have a valid SPF record (or insurance). If you do, they’ll determine whether or not you’re allowed to drive the vehicle based on your insurance policy and whether you’re listed as an authorized driver.

When a sender sends an email message, their mail server will perform a DNS lookup on the From address of the message to find out if the IP address or email service provider is allowed to send mail for that domain. If the IP address is listed as a valid sender within your SPF policy, SPF will pass.

If the sender’s IP address is not listed within your SPF record then your SPF authentication fails and your email is less likely to reach its destination. Many internet service providers (ISPs) may blacklist any IP addresses where SPF fails too often in order to prevent email spoofing and unauthorized IPs from abusing that domain’s reputation.

What does an SPF Failure Mean?

Authenticating your email is easy enough when everything is in place and SPF passes. However, it gets a bit tricky when SPF authentication fails, as it may be due to a number of reasons.

SPF failure occurs when:

  • multiple SPF records were found on the domain
  • unable to resolve the domain name in the DNS
  • the number of DNS lookups involved in a single SPF check exceeds 10
  • the number of void lookups involved in a single SPF check exceeds 2
  • unable to find the SPF record on the domain
  • the SPF record is not syntactically correct
  • the IP address is not on the list specified in the SPF record

If all of the above is true, one of the following SPF authentication responses is sent back and then passed on to DMARC:

  • none
  • neutral
  • SPF soft fail
  • fail, or SPF hard fail;
  • temperror, or temporary error
  • permerror, or permanent error

What is the difference between an SPF soft fail and an SPF hard fail?

The main difference between the two is pretty simple. Is it on your SPF record?

With an SPF hard fail, if mail is being sent from another server that’s not the IP in the SPF record, the receiving server will discard it and fail SPF.

With an SPF soft fail, this will get tagged as spam or suspicious.

Read the full story at GlockApps blog.



GlockApps (G-Lock Software)

Email marketing & email deliverability tips and best practices. Are your emails getting into your customers Inbox? Find out now! https://glockapps.com