SPF Record Cleanup Techniques
dmarcian has been involved in email authentication in one way or another for several decades, and we often see unnecessary content within an SPF record. Our tools and expert guidance aim to help users of all technical abilities to arrive at a concise SPF record that does not over-authenticate or contain syntax errors.
We’ve amassed an incredible amount of SPF knowledge and have created this resource to help you become aware of certain SPF references that can likely be safely removed. After reading a bit more about over-authenticating, skip ahead to the email source, e.g. SendGrid, AmazonSES, etc., for more specific guidance.
Common SPF Record Issues
Over-authenticating is when your organization authorizes unnecessary sources from sending on your behalf. In the case of SPF, the most common occurrence of over-authenticating matches one of two conditions:
- When an organization no longer uses a particular third-party email sending source. For example, your organization used to send email over HubSpot, but you have since migrated to Adobe Marketo. Your team has done the work to onboard Marketo, but missed the step of removing HubSpot from your SPF record.
- SPF include statements are added to the wrong location in DNS. This is the cause of either poor guidance by the third-party email sending source, or a knowledge gap at your organization. Hands down, the most frequent case is when an include statement is placed at the domain’s organizational level (e.g., spfhelper.com). It is increasingly common that third parties require the use of a subdomain for SPF alignment (e.g., hello.spfhelper.com). Subdomain usage is a widely adopted best practice, which can help with deliverability in addition to keeping SPF lookup counts low, since each subdomain is allowed to have 10 of its own lookups.
Source-specific SPF Alignment Guidance
The entries below detail which third-party email sending sources support SPF alignment and whether or not a subdomain is required. This guide is not intended to be an exhaustive list of sources that support SPF alignment; rather, these are common sources that most often require the use of a subdomain for SPF alignment.
Active Campaign
Active Campaign always requires the use of a subdomain for SPF alignment. If you have the Active Campaign include statement (include:emsd1.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Active Campaign documentation for more information.
Adobe Marketo
Marketo always requires the use of a subdomain as well as a trusted IP in order to achieve SPF alignment. They refer to this part of their service as a “Branded Return-Path.” Depending on your plan level, a trusted IP (a dedicated IP) may be an extra charge. If you have the Marketo include statement (include:mktomail.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Marketo documentation for more information.
AmazonSES
AmazonSES always requires the use of a subdomain for SPF alignment. If you have the AmazonSES include statement (include:amazonses.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the optional 30-day view option on your account’s SPF Surveyor to ensure there is no aligned volume before removing it. See AmazonSES documentation for more information.
Bird, formerly SparkPost
SparkPost, now Bird, always requires the use of a subdomain for SPF alignment. They refer to this part of their service as a “custom bounce domain.” If you have either of the two SparkPost include statement (include:_spf.sparkpostmail.com or include:_spf.eu.sparkpostmail.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See this documentation for more information.
Brevo, formerly SendinBlue
Brevo commonly requires the use of a subdomain for SPF alignment. If you have the Brevo include statement (include:spf.sendinblue.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Brevo documentation for more information.
Cvent
Cvent is an SPF-incapable email source; it is not possible (as of writing this article) to configure SPF-alignment. In order to bring Cvent into DMARC alignment, you will need to configure DKIM. If you have the Cvent include statement (include:cvent-planner.com) in your organizational domain’s SPF record, it isn’t doing anything for you and can be safely removed. See Cvent documentation for more information about how to set up DKIM.
Freshdesk
Freshdesk always requires the use of a subdomain for SPF alignment. If you have the Freshdesk include statement (include:email.freshdesk.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Freshdesk documentation for more information.
HubSpot
For the most part, HubSpot requires the use of a subdomain for SPF alignment. If you have the HubSpot include statement (include:*.hubspotemail.net) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. If you have a dedicated IP through them, you may want to reach out to their support team to be certain the guidance here is relevant for your specific use case. Use the optional 30-day view option on your account’s SPF Surveyor to ensure there is no aligned volume before removing it. See HubSpot documentation for more information.
Klaviyo
Klaviyo always requires the use of a subdomain for SPF alignment. Usually, it will be send.<your_domain>. If you have the Klaviyo include statement (include:klayvio.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Klaviyo documentation for more information.
MailerLite
MailerLite always requires the use of a subdomain for SPF alignment. If you have the MailerLite include statement (include:mlsend.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See MailerLite documentation for more information.
Mailjet
Mailjet always requires the use of a subdomain for SPF alignment. They refer to this part of their service as a “custom Return-Path.” If you have the Mailjet include statement (include:spf.mailjet.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Mailjet documentation for more information.
Postmarkapp
Postmarkapp always requires the use of a subdomain for SPF alignment. If you have the Postmarkapp include statement (include:spf.mtasv.net) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Postmarkapp documentation for more information.
Salesforce Marketing Cloud
In the case of Salesforce Marketing Cloud (SFMC), to achieve SPF alignment you will need to configure their Sender Authentication Package (SAP). For some customers, this may be an extra cost. Because they require a subdomain for their SAP, having the SFMC include statement (include:cust-spf.exacttarget.com) in your organizational domain’s SPF record isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SFMC documentation for more information. As a reminder, DMARC only requires SPF or DKIM alignment.
SendGrid
SendGrid almost always requires the use of a subdomain for SPF alignment. If you have the SendGrid include statement (include:sendgrid.net) in your organizational domain’s SPF record, it likely isn’t doing anything for you and can be safely removed. Use the optional 30-day view option on your account’s SPF Surveyor to ensure there is no aligned volume before removing it. In order to achieve SPF alignment, SendGrid will prompt you to create a CNAME entry at a newly designated subdomain they will suggest (e.g., em5150.spfhelper.com). See SendGrid documentation for more information.
Shopify
Shopify generally requires the use of a subdomain for SPF alignment. If you have the Shopify include statement (include:shops.shopify.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the optional 30-day view option on your account’s SPF Surveyor to ensure there is no aligned volume before removing it. See Shopify documentation for more information.
SMTP2GO
SMTP2GO always requires the use of a subdomain for SPF alignment. If you have the SMTP2GO include statement (include:spf.smtp2go.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SMTP2GO documentation for more information.
SocketLabs
SocketLabs always requires the use of a subdomain for SPF alignment. They refer to this part of their service as a “Custom Bounce Domain.”If you have the SocketLabs include statement (include:email-od.com) in your organizational domain’s SPF record, it probably isn’t doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SocketLabs documentation for more information.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.
