Key Points
- This error is seen in the headers of incoming emails marked as spam/junk if the sender has a “softfail” SPF policy, or in the headers of bounce-back emails if the sending domain’s SPF policy is set to “hardfail”.
- To fix this error, add the IP address in the error message to the sending domain’s SPF record.
The error “SPF softfail domain [DomainName] does not designate [IPAddress] as permitted sender” error can often be seen in the email headers when you go in to troubleshoot it. More precisely, it can be seen in the headers of emails that have been forwarded (indirect mailflows), or Non-Delivery Reports where the receiving mail server rejected the sent email entirely.
This issue occurs because there is a problem with the SPF DNS TXT record of the domain that sent the email. Moreover, if this error message is seen, it means that the DKIM check also failed, and hence, the DMARC check also failed. If this keeps on happening, your email spam rate would increase, which might land your domain on the blacklist.
In this post, we are going to discuss what this error message means and how to fix it.
What does “SPF softfail domain not designate as permitted sender” mean
When you start exploring the email header of a forwarded email or a bounce-back email, you may come across this error. The error message will also include your domain name and an IP address. Moreover, you may see different variations of the error message. For example, you may encounter the following error:
Received SPF:softfail ([DomainName]: domain of transitioning [EmailAddress] does not designate [IPAddress] as permitted sender)
Additionally, “softfail” may also be replaced by “hardfail” in some occasions. So does that mean something different?
For that, we must first develop a basic understanding of SPF. The Sender Policy Framework is a record of the IP addresses of servers that are allowed to send emails on behalf of your domain. It is stored as a plain-text record on the DNS for your domain.
“SPF softfail” means that your SPF policy is configured as “softfail”. The SPF record uses qualifiers to define how the emails coming from addresses and domains not listed in the SPF record should be handled. One such qualifier is “~” (tilde), which represents “softfail”. When the SPF policy is set to softfail, the mail server flags the email and lets it through. The email would then likely end up in the spam/junk folder.
Learn more about SPF qualifiers and mechanisms.
Note: You may also come across errors starting with “550 SPF Hardfail“. This is when the email sender receives a bounce-back email, and the error appears in the NDR’s header. Moreover, the initial email sent is also not delivered to the recipient. For a hardfail SPF policy, the “–” qualifier is used.
Now that we know the difference between softfail and hardfail, understanding the entire error message becomes simpler. The “SPF softfail domain does not designate as permitted sender” error in the email’s header implies that the IP address used to send/forward the email is not a part of the SPF record, and therefore, the email has been flagged/rejected.
The IP address mentioned in the error can be of the mail server used to send the email or can be of the transitioning mail server that forwarded the email. Either way, the IP address of the mail server will need to be included in the SPF record for the sending domain.
Fixing the error “Domain does not designate as permitted sender” for email delivery
As mentioned above, fixing this error requires that you add the IP address of the sending mail server, which is also mentioned in the error message, to the domain’s SPF record. But before that, you need to make sure that it is the only reason. For that purpose, use the following steps to initially check and verify your SPF record, and only then proceed to edit it with caution.
-
Enter your domain name and click Analyze.
Analyze your domain -
Click the “SPF” section to expand it, and then check if the IP address of the sending mail server is mentioned in your SPF records.
Note: If the “SPF” section is red, it means that an SPF record does not exist, and you must create one from scratch. Here is a detailed post on SPF and how to configure it.
Check the SPF record for your domain Note: The “include” mechanism can contain another domain name, which means that all entries within that domain’s SPF record are to be considered a part of this SPF record. If your SPF record uses such a mechanism, also check the SPF record for those domain(s).
-
If you find that the SPF record does not include the IP, then continue to access your Domain Name Server as an administrator and proceed to edit the DNS zone.
-
Edit the SPF record to include the IP address mentioned in the error in the email header.
For example, if the error said “Received-SPF: softfail (itechtics.com: domain of transitioning contact@itechtics.com does not designate 10.15.22.13 as permitted sender)”, then the updated SPF record would be:
v=spf1 a mx a:itechtics.com ip4:10.15.22.13 ip4:67.202.92.27 ip4:208.100.34.140 ip4:67.202.92.7 ?all
-
Save the changes and wait for the updated SPF record to propagate.
After performing these steps, your emails should go through without an SPF error, and SPF, DKIM, and DMARC alignment should succeed.
Closing words
The “SPF softfail/hardfail domain does not designate as permitted sender” error might sound alarming, but its solution is very simple – add the mentioned IP address to the domain’s SPF record. This should resolve indirect mailflows and SPF authentication errors.
