DMARC reports, Email authentication

What does the SPF failure mean?

When aligning sources in DMARC Analyzer it’s possible that you will see several failures. But what do all these failures mean? Below we created a legenda with all possible failures.


SPF records can contain multiple ‘mechanisms’. These are parts of the SPF record while describe (a set of) valid sending IP addresses for this domain.

Mechanisms can be prefixed with one of four qualifiers:
“+” “Pass”
“-” “Fail”
“~” “Softfail”
“?” “Neutral”

Using these qualifiers you can specifically instruct a policy to apply to the IP addresses in that mechanism.

If a mechanism results in a hit, its qualifier value is used as an SPF result. The default qualifier is “+”, i.e. “Pass”. For example:
“v=spf1 -all”
“v=spf1 a -all”
“v=spf1 a mx -all”
“v=spf1 +a +mx -all”

The SPF record designates the host to be allowed to send

Mechanisms are evaluated in order. If no mechanism or modifier matches, the default result is “Neutral”.

The SPF record has designated the host as NOT being allowed to send but is in transition.

The SPF record has designated the host as NOT being allowed to send.

The domain does not have an SPF record or the SPF record does not evaluate to a result.

A permanent error has occurred (eg. badly formatted SPF record)

A transient error has occurred. This can occur when there was a temporary issue while retrieving certain DNS records.