Troubleshoot SPF

From: https://support.google.com/a/answer/10685928? sjid=16475661690433716483-NC

Intro
Basic Troubleshooting SPF
Verify SPF Setup Correctly
Verifying Outgoing Msg Pass SPF Auth
Verify SPF Rcd Includes All Senders
Check Msg Fwding
Review Sending Practices
Adv Tshooting SPF
Get SPF Auth Rslts In Msg Hdrs
Check DNS Lookups In SPF Rcd
Get Detailed Insights With Google Tools



Troubleshoot SPF issues
Protect against spoofing & phishing, and help prevent messages from being
marked as spam

Follow the steps in this article if you set up SPF but messages sent from
your domains are still:
Failing SPF authentication
Rejected by receiving servers
Sent to recipients’ spam folders


Note: 
It can take up to 48 hours after adding an SPF record for SPF
authentication to start working.



Basic troubleshooting for SPF
Many SPF issues can be identified and resolved by following the steps in this
section.



Verify SPF is set up correctly
To verify your SPF record is set up correctly, review these setup steps:

Check if you have an existing SPF record
Define your SPF record
Add your SPF record at your domain provider
Make sure your domain has only one SPF record




Verify outgoing messages pass SPF authentication
Email message headers have the results of SPF authentication check. Check
that messages sent from your domain pass SPF authentication.

Recommended steps:
Check the headers in a message sent from your domain to learn if messages 
are passing SPF.
In Gmail, click Show original for a message, then check the SPF status in 
the original message. Learn more about checking message headers in Gmail. 
Enter message headers into Google Admin Toolbox Messageheader tool and check
the SPF status. 



Verify that your SPF record includes 
all current email senders

If your SPF record doesn’t include all services or servers that send mail
for your domain, receiving servers might send messages to spam.

Recommended steps:
Check the servers and services in your SPF record. Follow 
the steps in Check if you have an existing SPF record. Make sure all servers and
senders that currently send email for your domain are included in your SPF
record.
Update your SPF record with any new sender information. Follow the steps in
Define your SPF record. Then, add the updated SPF record to your domain by 
following the steps in Add your SPF record at your domain provider



Check message forwarding
Even if SPF is correctly set up for your domain, forwarded messages can fail
SPF. This is usually because of the way the forwarding server forwards messages.

Recommended steps:

To verify the message was forwarded and get the original recipient address,
get message details with Email Log Search. If the person reporting a message as
spam isn’t the original recipient, it’s likely the message was forwarded.
Contact the third party that forwarded the message to find out if they can
change how they forward messages.
Use the tools described in Advanced Troubleshooting to check for suspicious
email activity. Sometimes spammers forward messages to impersonate domains or 
organizations.



Review your email sending practices

If your domain has a valid SPF record and messages are still sent to spam, the
cause might be something other than SPF. 

Recommended steps:

Follow the guidelines for sending email to Gmail users, especially if you
send large volumes of mail.



Advanced troubleshooting for SPF
If basic troubleshooting steps did not identify the issue, try these advanced 
troubleshooting steps.



Get SPF authentication results in message headers
The headers of messages sent from your domain have information about SPF
authentication. To get the full headers of messages sent from your domain,
follow the steps in Trace an email with its full headers.

Find the part of the message header that starts with Authentication-Results, and
note the text next to the entry spf. Depending on the information in this part 
of the header, take the recommended steps below. 



Message header content 
Possible causes 
Recommended steps 

	No spf entry in 
	Authentication-Results
	 
	The message did not go 
	through an SPF check. Your SPF 
	record might not be set up 
	correctly.
	 Verify SPF is set up correctly.

	The spf entry includes best 
	guess record
	 
	Possible causes include:
SPF hasn’t been set up for 
your domain.
SPF isn’t set up correctly for 
your domain.
There’s an issue with the 
DNS at your domain provider.
		 
Verify SPF is set up correctly.
Check with your domain 
provider to rule out current 
issues with their DNS.

	The SPF result is neutral, softfail, or fail.
	 The SPF result is the text after spf=.Possible causes include:
The message is from a 
legitimate sender but the IP 
address of that sender isn’t
included in your SPF record.
The message was 
intentionally sent from an 
unverified IP address.
The message is from an 
unauthorized sender. In this 
case, the SPF results are
correct.
	  
Verify SPF is set up correctly.
Make sure your SPF record 
includes all current email
senders.

	
The SPF result is temperror or permerror
	 
The SPF result is the text after 
spf=. 
Possible causes include:
The message is from a 
legitimate sender but the IP 
address of the sender isn’t
included in your SPF record.
The message was 
intentionally sent from an 
unverified IP address.
The message is from an 
unauthorized sender. In this 
case, the SPF results are
accurate.
	 
Verify SPF is set up correctly.
 Check the DNS lookups in your SPF record.
Check with your domain 
provider to rule out current 
issues with their DNS.

 


Check the DNS lookups in your SPF record
SPF records support up to 10 lookups. So, your SPF TXT record can’t
include more than 10 references to other domains. Each of these mechanisms
in your SPF record results in a lookup: a, mx, include, ptr.

If your TXT record results in more than 10 lookups, messages from your
domain won’t pass SPF and could be sent to spam.

What are DNS lookups? When a mail server checks incoming messages against
your SPF record, the server might have to do a lookup. A lookup is the
process of finding the IP addresses for a domain. When your SPF record
authorizes domains to send mail for you, receiving servers check the IP
address for the authorized domain. 

Recommended steps:

Check the number of lookups in your SPF record with the Check MX tool in
the Google Admin Toolbox. 
Remove duplicate mechanisms, and mechanisms that refer to the same domain.
Be aware of nested lookups, which count toward the limit of 10. If your SPF
record includes a domain, and that domain includes other domains in its SPF
record, those other domains are counted toward your SPF record limit.
When using the include mechanism, keep in mind nested lookups might cause
your SPF record to exceed 10 lookups.
When using the ip4 and ip6 mechanisms, keep in mind that SPF records have a
255 character string limit.
Only include domains that are actively sending email for you.
Remove any include mechanisms for third parties that no longer send mail
for your domain.



Get detailed insights with Google 
Workspace reporting tools
To get detailed information about email delivery and authentication for your
domain, try these Google Workspace reporting tools.


Tool
Recommended steps

Email Log Search
To help you troubleshoot forwarding issues, get the original destination
address for inbound and outbound messages with Email Log Search (ELS) . ELS
includes the source IP address of incoming messages, so you can troubleshoot
SPF authentication issues. ELS also shows if messages received by users in
your domain are marked as spam.

Authentication report
Check which messages from your domain pass SPF, DKIM, and DMARC
authentication checks with the Authentication report.

Postmaster Tools
If you regularly send large volumes of email, get details about messages
sent by your domain with Postmaster Tools. This tool has information about
delivery errors, spam reports, and feedback loops.

Security investigation tool
Get the authentication status of incoming messages, and identify incoming
unauthenticated messages with the security investigation tool.

BigQuery and Gmail reports
Get the authentication status of incoming messages, detailed information
about individual messages, and delivery statistics over time with BigQuery
with Gmail reports.

Message header content	Possible causes	Recommended steps
No spf entry in Authentication-Results	The message did not go through an SPF check. Your SPF record might not be set up correctly.	Verify SPF is set up correctly.
The spf entry includes best guess record	Possible causes include: SPF hasn’t been set up for your domain. SPF isn’t set up correctly for your domain. There’s an issue with the DNS at your domain provider.	Verify SPF is set up correctly. Check with your domain provider to rule out current issues with their DNS.
The SPF result is neutral, softfail, or fail.	The SPF result is the text after spf=. Possible causes include: The message is from a legitimate sender but the IP address of that sender isn’t included in your SPF record. The message was intentionally sent from an unverified IP address. The message is from an unauthorized sender. In this case, the SPF results are correct.	Verify SPF is set up correctly. Make sure your SPF record includes all current email senders.
The SPF result is temperror or permerror	The SPF result is the text after spf=. Possible causes include: The message is from a legitimate sender but the IP address of the sender isn’t included in your SPF record. The message was intentionally sent from an unverified IP address. The message is from an unauthorized sender. In this case, the SPF results are accurate.	Verify SPF is set up correctly. Check the DNS lookups in your SPF record. Check with your domain provider to rule out current issues with their DNS.

Tool	Recommended steps
Email Log Search	To help you troubleshoot forwarding issues, get the original destination address for inbound and outbound messages with Email Log Search (ELS) . ELS includes the source IP address of incoming messages, so you can troubleshoot SPF authentication issues. ELS also shows if messages received by users in your domain are marked as spam.
Authentication report	Check which messages from your domain pass SPF, DKIM, and DMARC authentication checks with the Authentication report.
Postmaster Tools	If you regularly send large volumes of email, get details about messages sent by your domain with Postmaster Tools. This tool has information about delivery errors, spam reports, and feedback loops.
Security investigation tool	Get the authentication status of incoming messages, and identify incoming unauthenticated messages with the security investigation tool.
BigQuery and Gmail reports	Get the authentication status of incoming messages, detailed information about individual messages, and delivery statistics over time with BigQuery with Gmail reports.