Sender Policy Framework (SPF) authentication passing does not necessarily mean the SPF checks are completely successful. SPF verification depends on two critical factors: authentication and alignment. If either of these fails, the SPF check as a whole will not pass.
The Relationship Between SPF Authentication and Alignment
When only the SPF authentication passes but the alignment fails, the SPF pass rate will still appear as 0%. This happens because the SPF check requires both authentication and alignment to be successful, and without alignment, the process remains incomplete.
How to Resolve the Issue
To address this problem, you need to create a custom return-path for the domain. The return-path should match the sending domain to ensure alignment. When the return-path aligns with the sending domain, and the authentication is already passing, the SPF check will fully pass.
Example Scenario
Consider the example of SalesForce. As shown in the screenshot below, the SPF pass rate is reported as 0%. This is because there is no alignment between the sending domain and the return-path domain, even though the SPF authentication is passing. To fix this issue, they need to enable a custom return-path for the domain so that the return-path and the sending domain match. This alignment will enable SPF to pass the checks entirely.
Additional Consideration
If the ESP’s portal doesn’t allow you to enable and configure a custom return-path directly, reach out to their support team. Inquire whether they offer an option to manage the bounce-back emails and use your From address domain as the Mail From address (also known as the Return-Path or bounce-back address). This is necessary for achieving SPF alignment, as the Mail From domain should match your From address domain.