Sendmarc Redirect SPF Bypass

Certain email service providers require their SPF records to exist at the root level of the SPF record.

For this article, we'll use SMTP.com's SPF.

Here's an example to better explain:

SMTP.com's SPF record is: "include:_spf.smtp.com".

Unfortunately, SMTP.com cannot verify that their SPF record exists if it exists in the Sendmarc "redirect".

To fix this, remove the record from Sendmarc and add it BEFORE the Sendmarc "redirect" on the DNS.

In other words, if the SPF record is v=spf1 redirect=_s0j9956zq.sdmarc.net, do the following:

CHANGE THIS: "v=spf1 redirect=_s0k9956zq.sdmarc.net"

TO THIS: "v=spf1 include:_spf.smtp.com redirect=_s0k9956zq.sdmarc.net"

 

Using this approach lets SMTP.com (or similar services) validate their own SPF record. At the same time, it ensures Sendmarc's SPF works as intended.

NOTE: Please do not add a qualifier to the end of your SPF record. Examples of these would be "~all, -all, ?all, +all", as Sendmarc's redirect will take care of that.