I have received a non-delivery report (NDR) email with a SPF validation error. How do I resolve this?


Please contact your Network Administrator for help with this method.

To troubleshoot, you will first need to check that your SPF record includes the Crossware mail servers.

As your email goes through our service, the Crossware server's IP will be referenced in the email headers.
NOTE: An SPF record identifies which mail servers are permitted to send email on behalf of your domain.

1. View the header of the email you sent.

For Outlook 2016, double-click the email message to display it in its own full window, select "File" > "Properties" and view the message header in the "Internet headers" field at the bottom of the window.

2. Scan the header text for a mention of "spf=fail".

For example:

3. Check that the IP Address listed next to "sender IP" is a Crossware IP address from this list:
Region: Australia
Region: Australia K1 (after March 16 2020)

Region: Canada

Region Europe: K1 (after June 9 2020)

Region Europe:

Region France:

Region USA

Region: USA K1 (after April 24 2020)
US-K1-EAST 52.1 -49.241.223

Region: All (Only Customers in Production Before 25 Nov 2018)
US -
EU -
AU -
Trial -
If you find spf=fail text with a Crossware IP address, the next step is to confirm that your domain returns an SPF record.

4. Log in to Kitterman SPF Record Testing Tool -
5. Type in your "Domain Name" and click "Get SPF Record" (if any).

6. Your SPF record should look similar to this example.

It should NOT return a record that includes the text -all

You will need to update your SPF record to include a list of Crossware Mail Servers as an allowable sender from your domain.

7. Update your SPF record in your DNS to include

Depending on the Region you have been Provisioned in:
Use SPF Record
Trial -all
Australia K1 -all -all
Canada -all
Europe K1 -all -all
France -all
USA K1 -all -all
United Arab Emirates -all
ALL* -all

*Please only use ALL if you have been Provisioned in Production before 25 November 2018

Example: v=spf1 -all
NOTE: How to do this for this will vary depending on your configuration - check with your Network Administrator for assistance.

An example of a DNS record that has been updated to include the -all value:

8. Use the Kitterman SPF Record Testing Tool ( again to confirm that -all appears in your SPF records.

Type in your Domain Name and click Get SPF Record (if any)

The results should look like this example below:

NOTE: You will need to allow time for the DNS record changes to propagate which may take up to 24 hours.

9. Send a test email to any external email address to check that your emails are now being sent.
Related Products: CMS M365