SPF Cleanup Techniques
It's quite common to have unnecessary contents within an SPF record. Our tools and expert guidance aim to help users of all technical abilities to arrive at a concise SPF record, that is neither overly permissive or contain syntax errors. dmarcian has been involved in email authentication one way or another several decades. We've amassed an incredible amount of SPF knowledge and have created this resource to help you become aware of certain SPF references that can likely be safely removed. After reading a bit more about over authenticating, skip ahead to the email source in question for more specific guidance.
Over authenticating is the term used when your organization authorizes unnecessary resources from sending on your behalf. In the case of SPF, the most common occurrence of over authenticating matches one of two conditions:
1) No longer using a particular 3rd party email sending source. For example, your organization used to send email over HubSpot, but you have since migrated to Adobe Marketo. Your team has done the work to onboard Marketo, but missed the step of removing HubSpot from your SPF record.
2) SPF 'include' statements are added to the wrong location in DNS. This is the cause of either poor guidance by the 3rd party email sending source, or a knowledge gap at your organization. Hands down, the most frequent case is when an include statement is placed at the domains organizational level (eg. example.com). It is increasingly common that 3rd parties require the use of a subdomain for SPF alignment (hello.example.com). The entries below detail which 3rd party email sending sources support SPF alignment and whether or not a subdomain is required or not.
SendGrid
In the case of SendGrid, they almost always require the use of a subdomain for SPF alignment. This means that if you have the SendGrid include statement (include:sendgrid.net) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. In order to achieve SPF alignment, SendGrid will prompt you to create a CNAME entry. See SendGrid documentation for more information on this topic here.
AmazonSES
In the case of AmazonSES, they almost always require the use of a subdomain for SPF alignment. This means that if you have the AmazonSES include statement (include:amazonses.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See AmazonSES documentation for more information on this topic here.
Shopify
In the case of Shopify, they almost always require the use of a subdomain for SPF alignment. This means that if you have the Shopify include statement (include:shops.shopify.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Shopify documentation for more information on this topic here.
HubSpot
In the case of HubSpot, they almost always require the use of a subdomain for SPF alignment. This means that if you have the HubSpot include statement (include:*.hubspotemail.net) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. If you have a dedicated IP through them, you may want to reach out to their support team to be certain the guidance here is relevant for your specific use case. You should also use the SPF Surveyor to ensure there is no aligned volume before removing it. See HubSpot documentation for more information on this topic here.
SendinBlue (Brevo)
For Brevo, formally SendinBlue, they almost always require the use of a subdomain for SPF alignment. This means that if you have the SendinBlue include statement (include:spf.sendinblue.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SendinBlue documentation for more information on this topic here.
Postmarkapp
For Postmarkapp, they always require the use of a subdomain for SPF alignment. This means that if you have the Postmarkapp include statement (include:spf.mtasv.net) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Postmarkapp documentation for more information on this topic here.
Klaviyo
For Klaviyo, they always require the use of a subdomain for SPF alignment. Usually, it will be send.<your_domain>. This means that if you have the Klaviyo include statement (include:klayvio.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Klaviyo documentation for more information on this topic here.
SparkPost (Bird)
For SparkPost (now Bird), they always require the use of a subdomain for SPF alignment. They refer to this part of their service as a 'custom bounce domain'. This means that if you have either of the two SparkPost include statement (include:_spf.sparkpostmail.com or include:_spf.eu.sparkpostmail.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SparkPost documentation for more information on this topic here.
Mailjet
For Mailjet, they always require the use of a subdomain for SPF alignment. They refer to this part of their service as a 'custom Return-Path'. This means that if you have the Mailjet include statement (include:spf.mailjet.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Mailjet documentation for more information on this topic here.
Salesforce Marketing Cloud
In the case of Salesforce Marketing Cloud (SFMC), to achieve SPF alignment, you will need to configure their Sender Authentication Package (SAP). For some customers, this will be an extra charge. Because they require a subdomain for their SAP, having the SFMC include statement (include:cust-spf.exacttarget.com) in your organizational domain's SPF record isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SFMC documentation for more information on this topic here. As a reminder, DMARC only requires SPF or DKIM alignment.
Freshdesk
For Freshdesk, they always require the use of a subdomain for SPF alignment. This means that if you have the Freshdesk include statement (include:email.freshdesk.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Freshdesk documentation for more information on this topic here.
SMTP2GO
For SMTP2GO, they always require the use of a subdomain for SPF alignment. This means that if you have the SMTP2GO include statement (include:spf.smtp2go.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SMTP2GO documentation for more information on this topic here.
Active Campaign
For Active Campaign, they always require the use of a subdomain for SPF alignment. This means that if you have the Active Campaign include statement (include:emsd1.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Active Campaign documentation for more information on this topic here.
Cvent
Cvent is an SPF-Incapable email source, meaning that it is not possible (as of writing this article) to configure SPF-alignment. In order to bring Cvent into DMARC alignment, you will need to configure DKIM. This means that if you have the Cvent include statement (include:cvent-planner.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Cvent documentation for more information about how to set up DKIM here.
Adobe Marketo
Marketo always require the use of a subdomain as well as a trusted IP in order to achieve SPF alignment. They refer to this part of their service as a Branded Return-Path. Depending on your plan level, a trusted IP (a dedicated IP) may be an extra charge. This means that if you have the Marketo include statement (include:mktomail.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See Marketo documentation for more information on this topic here.
SocketLabs
SocketLabs always requires the use of a subdomain for SPF alignment. This means that if you have the SocketLabs include statement (include:email-od.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See SocketLabs documentation for more information on this topic here.
MailerLite
MailerLite always requires the use of a subdomain for SPF alignment. This means that if you have the MailerLite include statement (include:mlsend.com) in your organizational domain's SPF record, it probably isn't doing anything for you and can be safely removed. Use the SPF Surveyor to ensure there is no aligned volume before removing it. See MailerLite documentation for more information on this topic here.