Even great software companies don't know how to use SPF

In a series of posts earlier this year I showed that a huge percentage of Marketo customers didn't have a functioning SPF record. Not merely that they didn't have Marketo included in their SPF record — that's unnecessary unless your subscription has an extra line item — but that their SPF record was broken in general, affecting all email sent from their domain including from corporate HQ.

I was curious if the landscape had changed at all, so I ran another quick checkup today.

Last time, my Firefox DE cookies were the base for research. 90% of the sites in there are Marketo users, since I use that browser to read Marketo Nation (and not much else).

This time, I used my Chrome cookies to sample companies using Marketo. Chrome is my browser for day-to-day business surfing, so that's where you find companies whose products I use or seriously consider: serious players in the contemporary software/SaaS scene.

Well, the first 10 companies I looked at all have broken SPF. 100%! This includes JetBrains, MariaDB, NewRelic, CodePen, Apigee and Optimizely. All companies making great software. I enjoy linking to them, even in this finger-wagging context, because their products are that awesome. (Also a couple of political sites and a cloud image hosting service. And someplace called OryxAlign that takes itself very seriously but doesn't understand SMTP and DNS... don't know them from Adam so I don't know why I visited their site.)

What's the takeaway? Perhaps it's that software companies are no more likely than others to have an intimate connection between their mail/marketing activities and their SMTP/DNS team. It could also be that with so many other technical areas to master, mail sender permission fell through the cracks. Or, let's be honest, it could be that people have told them it was broken, but they denied it because that can happen when geeks serve as gatekeepers.

In all cases, the cause was exceeding the maximum of 10 DNS lookups, as explored in earlier posts. When an SPF record exceeds this limit, it errors out. This doesn't mean that mail isn't delivered but the exact opposite: the domain owner can't prevent mail from being delivered regardless of the originating server. The assurance you're hoping to get from saying, “Only these servers can mail from my domain” is out the window when your SPF record exceeds limits (it's as if you had no SPF record at all).

So today's lesson is: Be like these great companies in every other way... but fix your SPF!