How to Fix SPF Softfail Domain Does Not Designate IP as Permitted Sender

SPF SPF Softfail

When analyzing email headers for unauthenticated emails in mailbox service providers like Gmail, you can run into error messages that look like below from time to time:

Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate some IP address as permitted sender)

Such an SPF softfail domain does not designate IP as permitted sender error message indicates that the email sender's IP address was not included in the SPF record on the sender domain, hence SPF failed.

When this happens, and if DKIM also fails, it will ultimately cause DMARC to fail, which negatively impacts email deliverability. Therefore, the domain administrator should take measures to fix it.

How to fix SPF softfail domain does not designate IP as permitted sender

Fortunately, this issue is relatively straightforward to fix. Simply add your sending IP addresses to the SPF record on your email domain and this error message will disappear.

For example, if you are sending a message as [email protected] from a host with the IP address 12.34.56.78, you need to add that IP address with the ip4 mechanism to the SPF record on acmecorp.com, so that the record looks like:

v=spf1 ip4:12.34.56.78 -all

This way, all outbound emails sent on behalf of acmecorp.com (including [email protected]) from the host will pass SPF authentication.

If you need to add multiple IP addresses, you can use multiple ip4 mechanisms:

v=spf1 ip4:12.34.56.78 ip4:78.56.34.12 -all

If you are using an external email delivery service like Mailgun, you can use the include mechanism to "include" all of their hosts in your SPF record:

v=spf1 include:mailgun.org -all

This way, emails sent from any Mailgun hosts on behalf of acmecorp.com will pass SPF authentication.

You can also use other mechanisms available in SPF such as a, mx, etc., to define your IP address list. For more information, refer to: How to Set Up Sender Policy Framework (SPF): the Complete Guide.

Indirect mailflows

SPF can break in an indirect mailflow where forwarding occurs, as the intermediate server's IP address is different than the originating server's, and the former might not be designated as a permitted sender.

The good news is that, unlike SPF, DKIM results survive forwarding provided that email subject and content are not altered. Therefore, setting up DKIM as well is recommended to improve email authentication success rates.

Previous Post Next Post

 Protect Business Email & Improve Email Deliverability

Get a 14 day trial. No credit card required.

Create Account