In the early days of Email Service Providers (ESPs), it was common practice for the support staff to tell their customers to include the ESP in the customer SPF record of the domain being used for the “visible from” address for messages sent from the ESP.
Thankfully the ESPs have learned better and have stopped suggesting that.
Sadly, this advice is still regurgitated as one of the best ways to improve deliverability by the so-called “gooroos”.
In this post, I would like to explain why including your ESP in your SPF record is almost always a waste of time and bandwidth.
Let's start by looking at a small section of a header from MailChimp …
Return-Path: <bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net>
Authentication-Results: mx.google.com;
dkim=pass header.i=@producthabits.com header.s=k1 header.b=pcreBugp;
spf=pass (google.com: domain of bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net
I have highlighted two lines. One is Return-Path and the other spf=pass.
Let's break this header down line by line.
Return-Path: <bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net>
This is the address that a message is sent to when something goes wrong during delivery. In this case, the domain is: mail116.suw111.mcdlv.net.
Authentication-Results: mx.google.com;
Just the start of the results of Authentication from GMail, where this message was received.
dkim=pass header.i=@producthabits.com header.s=k1 header.b=pcreBugp;
DKIM is passing for the domain producthabits.com.
spf=pass (google.com: domain of bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=bounce-mc.us14_66373773.155441-93d6a1c27f@mail116.suw111.mcdlv.net
This is the important one! This one is saying that SPF is passing for mail116.suw111.mcdlv.net. It is NOT saying that it is passing for producthabits.com!
The so called “gooroos” will tell you that you have to include the MailChimp SPF in the SPF record of producthabits.com, which you can see here is completely wrong.
Let's look at a few more examples.
Amazon SES
Return-Path: <010001845678c013-a8e25976-eba5-4d2e-aecd-6c63e9e7546f-000000@amazonses.com>
Authentication-Results: mx.google.com;
dkim=pass header.i=@growthhackingidea.com header.s=nkoonok6hq6kqwnsgwzfs4tbjrv2kxbi header.b=YtyHAqjo;
dkim=pass header.i=@amazonses.com header.s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw header.b=BY1WeoQG;
spf=pass (google.com: domain of 010001845678c013-a8e25976-eba5-4d2e-aecd-6c63e9e7546f-000000@amazonses.com designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=010001845678c013-a8e25976-eba5-4d2e-aecd-6c63e9e7546f-000000@amazonses.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=growthhackingidea.com
Here you can see two DKIM records, as well as a DMARC record that IS passing. Notice again the Return-Path address and the SPF pass. Neither of them mentions the “visible from” address domain of growthhackingidea.com.
Return-Path: <bounce-21082303@bounce.getresponse-mail.com>
Authentication-Results: mx.google.com;
dkim=pass header.i=@getresponse-mail.com header.s=k1024e header.b=0d4cHuZs;
spf=pass (google.com: domain of bounce-21082303@bounce.getresponse-mail.com designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=bounce-21082303@bounce.getresponse-mail.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mikejohnsononline.com
DMARC is failing on this one, but not because of SPF, rather because there is no DKIM key for mikejohnsononline.com.
Let's do one more example from a SME focused ESP.
Return-Path: <LJysbEwsLLRsnCysnIxMnLRGtCyczOxMnByc@smtp-soi-g01-102.aweber.com>
Authentication-Results: mx.google.com;
dkim=pass header.i=@aweber.com header.s=aweber_key_b header.b=rBgTFobY;
spf=pass (google.com: domain of ljysbewsllrsncysnixmnlrgtcyczoxmnbyc@smtp-soi-g01-102.aweber.com designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=LJysbEwsLLRsnCysnIxMnLRGtCyczOxMnByc@smtp-soi-g01-102.aweber.com
As you can see from all these examples, nowhere is SPF passing on the from address domain.
Now let's look at two examples where the Return-Path and the from domain DO match.
Return-Path: <bounce-48964_HTML-382931526-4243325-6424583-6143@bounce.send.grammarly.com>
Authentication-Results: mx.google.com;
dkim=pass header.i=@send.grammarly.com header.s=gram2048 header.b=zeUypDKZ;
spf=pass (google.com: domain of bounce-48964_html-382931526-4243325-6424583-6143@bounce.send.grammarly.com designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=bounce-48964_HTML-382931526-4243325-6424583-6143@bounce.send.grammarly.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=send.grammarly.com
In this example, the primary domain, grammarly.com appears in both the Return-Path, DKIM, SPF as well as DMARC. This is only possible as Salesforce has the ability for a customer to set their own Return-Path domain.
One last example from MailGun.
Return-Path: <bounce+2c0566.f9f2-richelo.killian=XXXXX.com@mail.xmind.net>
Authentication-Results: mx.google.com;
dkim=pass header.i=@mail.xmind.net header.s=mx header.b=HjnLbUt9;
spf=pass (google.com: domain of bounce+2c0566.f9f2-richelo.killian=XXXXX.com@mail.xmind.net designates XXX.XXX.XXX.XXX as permitted sender) smtp.mailfrom=”bounce+2c0566.f9f2-richelo.killian=XXXXX.com@mail.xmind.net”;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=xmind.net
Perfect alignment again between Return-Path, DKIM, SPF and DMARC.
Most SMTP providers like SendGrid, MailGun, SparkPost, etc, allow you to setup your own Return-Path domain.
On the ESP side, it is much less prevalent to find the ability to set this. Some of the higher end, enterprise ESPs have this ability.
The question now is … Will it hurt my delivery and/or deliverability if I don't include the ESP in my SPF record?
No, it will not!
The next question is always about DMARC … DMARC will fail now because SPF is not aligned right?
No, it will not … As long as your ESP has the ability to set a custom DKIM record. You HAVE to set it up though. If you do not, your messages will fail DMARC like the example above from GetResponse.
The last question is always … Will it cause any issues for me to include the ESP in my SPF record anyway? No, it will not cause any issues, but it is genuinely a waste of time, effort and internet bandwidth for all the lookups when you send messages.
Do you have any questions about SPF or other email authentication methods? Comment below with your questions.
Leave A Comment