This article contains information on SPF failure types in DMARC Analyzer, explaining qualifiers like Pass, Neutral, Softfail, Fail, None, Permerror, and Temperror, and their meanings in email authentication.
When aligning sources in DMARC Analyzer you may see several failures. But what do all these failures mean? All possible failures are listed below.
SPF
SPF records can contain multiple ‘mechanisms’. These are parts of the SPF record describing (a set of) valid sending IP addresses for this domain.
Mechanisms can be prefixed with one of four qualifiers:
“+” “Pass”
“-” “Fail”
“~” “Softfail”
“?” “Neutral”
Using these qualifiers you can specifically instruct a policy to apply to the IP addresses in that mechanism.
If a mechanism results in a hit, its qualifier value is used as an SPF result. The default qualifier is “+”, i.e. “Pass”. For example:
“v=spf1 -all”
“v=spf1 a -all”
“v=spf1 a mx -all”
“v=spf1 +a +mx -all”
“Pass”
The SPF record designates the host to be allowed to send
“Neutral”
Mechanisms are evaluated in order. If no mechanism or modifier matches, the default result is “Neutral”.
“Softfail”
The SPF record has designated the host as NOT being allowed to send but is in transition.
“Fail”
The SPF record has designated the host as NOT being allowed to send.
“None”
The domain does not have an SPF record or the SPF record does not evaluate a result.
“Permerror”
A permanent error has occurred (eg. a badly formatted SPF record)
“Temperror”
A transient error has occurred. This can occur when there was a temporary issue while retrieving certain DNS records.
Comments
Please sign in to leave a comment.