SPF Not Validating at My Service Provider

Summary

When using AutoSPF's flattened SPF records, some email service providers (like Office 365, Zoho, Google Workspace, or others) may report that they "cannot detect your SPF record" or that "your SPF is broken" during domain verification. This happens because these providers perform shallow validation - they look for their exact include: statement rather than properly resolving the flattened record.

Why This Happens

AutoSPF flattens your SPF record by resolving all nested includes into IP addresses. This is necessary to stay under the 10 DNS lookup limit. However, some providers don't perform deep SPF validation during their domain verification process. Instead, they simply search for their specific include string (e.g., include:spf.protection.outlook.com) in your DNS TXT record.

Since AutoSPF replaces these includes with the actual IP addresses, the provider's verification check fails - even though your SPF record is technically correct and will work properly for email authentication.

Common providers with this behavior:

  • Microsoft 365 / Office 365
  • Zoho Mail
  • Google Workspace (occasionally)
  • Salesforce
  • HubSpot
  • Various other SaaS email platforms

Solutions

Option 1: Request Manual Validation (Recommended)

Contact the provider's support team and explain that you use SPF flattening to stay within DNS lookup limits. Request that they manually verify your domain or bypass their automated SPF check.

Sample message to send:

"We use AutoSPF for SPF record flattening to stay within the 10 DNS lookup limit. Your verification system is looking for the exact include statement, but our flattened record contains the resolved IP addresses from your SPF record. Can you please manually verify our domain or confirm that our SPF configuration is correct?"

Option 2: Temporarily Add the Provider's Include

If the provider cannot accommodate manual validation, you can temporarily add their include statement directly to your DNS SPF record alongside the AutoSPF include.

Step-by-Step Instructions:

  1. Identify the required include - Find the exact SPF include your provider is looking for. Common examples:
    • Microsoft 365: include:spf.protection.outlook.com
    • Zoho: include:zoho.com
    • Google: include:_spf.google.com
    • Salesforce: include:_spf.salesforce.com
  2. Modify your DNS SPF record temporarily - Add the provider's include to your SPF record in DNS: 
    Before:  v=spf1 include:_s0027200a.autospf.email ~all
After:   v=spf1 include:spf.protection.outlook.com include:_s0027200a.autospf.email ~all
  3. Wait for DNS propagation - Allow 5-15 minutes for the change to propagate.
  4. Complete the provider's verification - Run their domain verification process again.
  5. Verify the include exists in AutoSPF - Before reverting, confirm that the provider's include is already configured in your AutoSPF SPF Manager. This ensures the flattened record contains their IP addresses.
  6. Revert your DNS record - Once verified, remove the temporary include from your DNS and restore the original AutoSPF-only record: 
    Revert to: v=spf1 include:_s0027200a.autospf.email ~all

Important: Make sure the provider's include is configured in AutoSPF before reverting. Otherwise, their mail servers won't be authorized in your flattened record.

Verifying Your SPF is Working

After completing either solution, you can verify your SPF record is working correctly:

  1. Use AutoSPF's dashboard to confirm your record is valid and under the 10 lookup limit
  2. Send a test email and check the headers for spf=pass
  3. Use an SPF testing tool like MXToolbox SPF Lookup

Example: Zoho Email Validation Failure

Below is an example of Zoho's domain verification failing because it cannot find its include statement in a flattened SPF record:

Need Help?

If you're still having trouble getting your provider to validate your domain, contact our support team and we can assist with manual verification or help you communicate with your provider.